Mailchimp has confirmed that a malicious actor gained access to one of its internal tools and used it to steal data belonging to more than 100 high-value customers.
All of the customers were in cryptocurrency and finance-related industries, according to Mailchimp. "Our findings show that this was a targeted incident," the mailing list giant's CISO, Siobhan Smyth, said in a statement to Register on Monday.
Rumors of the intrusion surfaced on Twitter over the weekend: On Sunday, hardware cryptocurrency wallet maker Trezor, whose website is trezor.io, warned someone was sending emails from noreply[at]safe[dot]us that contains a link to malware designed to collect information from wallet owners.
Less than an hour later, Trezor said managed to disable the domain names associated with the scam, and that MailChimp said its service had been "compromised by an insider targeting crypto companies."
According to Trezor, a scammer send by email subscribers to his mailing list claimed that there had been a security breach and that a new version of the Trezor software had to be downloaded and run. The message linked to what was said to be the latest Trezor Suite application, but the executable was in fact fake and instead sought to obtain the victim's wallet recovery seed and possibly other information.
Supposedly, someone compromised Mailchimp to extract the email addresses of everyone who had signed up for Trezor's Mailchimp-managed mailing list, and then sent the phishing email to those addresses. We're told the scammer accessed some 319 Mailchimp accounts and pulled "audience data" from 102 of them.
According to Smyth, Mailchimp's security engineers became aware of the breach on March 26 after a cybercriminal gained access to a tool that Mailchimp's customer support teams use for customer support and account management.
"The incident was propagated by a third-party actor who carried out a successful social engineering attack against Mailchimp employees, resulting in employee credentials being compromised," he explained. In other words, someone outside took control of a worker's internal system account and used it to obtain Mailchimp account details and contact information for subscribers.
The email delivery company terminated access to the compromised employee's account and "took steps to prevent other employees from being affected," Smyth added.
The company launched an investigation into what happened and also hired digital forensics experts for help. And during the course of that investigation, Mailchimp determined that the attacker could access the API keys of some accounts. These API keys could be used by an attacker to launch further phishing campaigns against Mailchimp mailing list subscribers.
"Out of an abundance of caution, we disabled those API keys, implemented protections so they cannot be re-enabled, and notified affected users," Smyth said.
In addition to saying that Mailchimp notifies account owners of any unauthorized account access as soon as possible, Smyth recommended that netizens adopt two-factor authentication to keep their online accounts secure.
"We sincerely apologize to our users for this incident and realize it brings inconvenience and raises questions for our users and their customers," he added. "We are confident in the security measures and robust processes we have in place to protect our users' data and prevent future incidents."
Mailchimp is just the latest major company to experience a computer security breach in recent months. Now joins the ranks of software consulting Globantmattress salesman Emma Dream Companyand identity service provider eight, among others. ยฎ
