Mailchimp suffers another data breach after social engineering attack on employees
Email marketing firm is sending emails to 133 accounts with reset instructions
Email marketing firm Mailchimp says it has suffered a data breach that enabled malicious actors to gain access to internal customer support and account administration tool and view data of 133 customers.
It is Mailchimp's second hack in the last six months, appearing to be almost identical to a prior incident.
The company says it discovered the breach on January 11 when its security team found that an unauthorised actor had gained access to one of the tools used by Mailchimp customer-facing teams for account management and customer support.
"The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack," reads a statement about the incident on the company's website.
Based on the investigation so far, Mailchimp believes this targeted attack affected 133 Mailchimp accounts. Beyond these accounts, there is no indication that this breach affected the systems of its parent company Intuit or customer data.
After identifying evidence of the unauthorised actor, Mailchimp temporarily suspended access for those accounts where it had discovered suspicious behaviour.
The firm is emailing affected accounts with instructions to assist users to regain secure access to their Mailchimp accounts.
"We know that incidents like this can cause uncertainty, and we're deeply sorry for any frustration. We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process," the company said.
One of the victims of this hack is the popular WooCommerce eCommerce plugin for WordPress, according to TechCrunch.
WooCommerce said in a statement to customers that it was informed by Mailchimp that the breach may have exposed the names, web store URLs, and email addresses of its customers. WooCommerce said no user passwords or other personal details were stolen in the breach.
While WooCommerce says there is no evidence that the stolen data was abused, threat actors often utilise this sort of data in targeted phishing campaigns to steal passwords or install malware.
In April 2022, Trezor hardware wallet owners said they were receiving fake data breach warnings, which prompted them to download a bogus version of the Trezor Suite software that would steal their recovery seeds.
Trezor said that the mailing list used in the campaign was a Trezor mailing list stolen in a MailChimp hack.
Later, Mailchimp acknowledged that the breach was more extensive and that threat actors had gained access to 319 Mailchimp accounts and were able to export the data of 102 clients. The breach occurred as a result of Mailchimp employees becoming victim of a social engineering trick.
In August 2022, Mailchimp reported becoming the target of yet another social engineering attack, when the credentials of its customer support employees were hijacked, giving the hacker access to Mailchimp's internal tools. A total of 214 Mailchimp accounts, largely those involved in cryptocurrencies and banking, had their data exposed in that hack.
Cloud computing behemoth DigitalOcean, Edge Wallet, Cointelegraph, NFT developers, Ethereum FESP, Messari and Decrypt were among the customers affected by the August incident.
At the time, Mailchimp said that it had added a set of improved security safeguards to its systems.
In light of the almost similar replay of its previous hack, it is unclear if Mailchimp applied the improved security measures correctly.
Commenting on Mailchimp incident, Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, said: "Well, whatever 'enhanced security measures' Mailchimp put in place after the first breach did not take the desired effect. Organisations like this should not only tighten their security measures, they should also put in place training programs for employees and executives, educating them about phishing attacks like the one that facilitated these breaches."
However, Wicus Ross, senior security researcher at Orange Cyberdefense, commended Mailchimp for its quick response.
"Due to how quickly it was able to respond to this incident, we can assume that it learned from its previous experience and invested in technology that detects account compromise. By quickly blocking the unauthorised user and suspending the accounts impacted, it was able to contain the attack to just 133 users and notified those affected within less than 24 hours."