Email marketing firm Mailchimp confirmed over the weekend that hackers breached an internal tool and used it to access 300 user accounts and steal audience data from 102 of those accounts.
The breach was outed first by Trezor (via Bleeping Computer), a company that makes hardware wallets for cryptocurrency. Trezor used Mailchimp to send newsletters to customers.
Following the breach, several customers received phishing emails that appeared to be from Trezor and warned of a “security incident.” The emails prompted users to download a malicious version of Trezor’s app to reset their hardware wallet PIN. If installed, the malicious app could have allowed hackers to steal users’ cryptocurrency.
Mailchimp’s chief information security officer (CISO), Siobhan Smyth, told TechCrunch that the company became aware of the breach on March 26th. Smyth explained that the company a malicious actor accessed a tool used by its customer support staff and account administration teams through a successful social engineering attack — social engineering refers to manipulating people and exploiting human error to gain private information, such as login credentials.
“We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected,” Smyth said in the statement.
Although Mailchimp declined to share with TechCrunch what data hackers accessed in the breach, it did say that the attack targetted customers in the cryptocurrency and finance sectors. Moreover, Mailchimp said that the attackers gained access to API keys for an undisclosed number of customers — those keys potentially allow attackers to send spoofed emails that appear to be from legit Mailchimp customers.
Mailchimp says it has disabled those API keys and they can no longer be used. However, Smyth told TechCrunch that the company received reports that hackers used the information they obtained from user accounts to send phishing campaigns to accounts’ contacts.
Smyth declined to answer TechCrunch’s questions about whether Mailchimp would implement additional security measures. Further, Mailchimp wouldn’t disclose how many other cryptocurrency or finance customers were impacted by the breach.
As it stands, anyone subscribed to newsletters should be on alert for possible phishing scams, especially if subscribed to crypto or finance newsletters. It’s best to avoid clicking any links in emails you receive.
Moreover, MobileSyrup uses Mailchimp for its weekly newsletter but has not seen any indication that it was impacted by the breach.