Marketing automation company Mailchimp has reported that it has been the victim of a social engineering attack-related data breach. This marks the second attack of this kind the company has suffered in less than a year.
The breach took place on January 11 and, according to Mailchimp, involved an “unauthorized actor accessing one of [the] tools used by Mailchimp customer-facing teams for customer support and account administration”.
Following this, the malicious actor launched social engineering attacks on Mailchimp employees and contractors used by the company. Through these attacks, the hacker was able to steal employee credentials and then used this login information to gain access to “select Mailchimp accounts”.
Mailchimp reported that the attack was targeted and limited to 133 accounts. In the wake of the attack, Mailchimp suspended access for those accounts compromised in the attack to protect users’ data, and notified the owners of the accounts of the suspicious activity. All those affected were notified by Mailchimp by January 12, and the company has been working with them to safely reinstate their accounts.
We recently learned that Mailchimp, a popular email platform, had a data breach and our account was one of many compromised. We have only used that service a few times, and for limited purposes, but out of an abundance of caution we wanted to share what we know. 🧵👇
— Yuga Labs (@yugalabs) January 19, 2023
Mailchimp has not published any information on the users targeted by the attack, however evidence suggests that cryptocurrency and finance companies were the intended victims. Cryptocurrency company and developer of the Bored Ape Yacht Club NFT collection, Yuga Labs, warned its community on January 19 that it had been a victim of the social engineering attack.
In a series of tweets, the cryptocurrency company explained that its account was “one of many compromised” in the attack and specified that while the company does not frequently use Mailchimp, it wanted to warn its customers out of an “abundance of caution”. The company went on to clarify that while its data may have been accessed, there was currently no data that it had been exported.
This social engineering attack and data breach mirrors a similar attack against the company in March 2022, which also saw cryptocurrency and finance companies targeted.
Mailchimp’s 2022 data breach
On March 26, 2022, Mailchimp was the victim of a data breach following a social engineering attack. The attack saw the hackers gain access to and export data from Mailchimp accounts, which the malicious actors then used to target customers of businesses that used Mailchimp for business-related services.
Mailchimp said that the cyber security incident was “propagated by a bad actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised”.
The bad actor also attempted to send a phishing campaign to a user’s contacts from said user’s account using the information they obtained during the attack.
Mailchimp reported that 319 accounts were viewed and audience data was exported from 102 of those accounts. An investigation revealed that the businesses targeted were those within the cryptocurrency and finance industries.
As a result of the hack, bitcoin hardware wallet Trezor had an inside compromise of a newsletter database hosted on Mailchimp. Due to the compromise, its users were targeted by a malicious phishing attack on April 3, 2022.
This attack included false information about Trezor experiencing a “security attack”. It then prompted victims to download and connect their Bitcoin wallets to a Trezor suite lookalike app, in addition to entering their seed phrases into the app.
Trezor stated: “For this attack to be successful, users had to install the malicious software on their devices, at which point their operating system should identify that the software comes from an unknown source. This warning should not be ignored as all official software is digitally signed by SatoshiLabs.”
The company went on to say that users should only be concerned about their Bitcoin funds if they had entered their seed phrases into the malicious app.