Email marketing services Mailchimp on Monday disclosed a data vulnerability that resulted in the penetration of an internal tool for unauthorized access to customer accounts and a staged phishing attack.
The development was first reported by Bleeping Computer.
Company, acquired by company software Intuit Finance in September 2021, told the publication that it became aware of the incident on March 26 when it discovered a malicious party was accessing the customer support tool.
Siobhan Smyth, Mailchimp’s director of information security, said: “The incident was propagated by an outsider who carried out a successful social engineering attack on Mailchimp employees, which resulted in disinformation. accuracy of the employee is violated.
While Mailchimp claims it acted quickly to terminate access to the breached employee accounts, the credentials that were extracted were used to access 319 MailChimp accounts and continue. export mailing lists related to 102 accounts.
The unknown actor is also said to have gained access to the API key for an unspecified number of customers, which the company says has been disabled, preventing attackers from abusing the API key to execute perform email-based phishing campaigns.
Following the hack, the company also recommended that customers enable two-factor authentication to secure their accounts from takeover attacks.
The admission comes as crypto wallet company Trezor on Sunday said it was investigating a potential security incident stemming from an opt-in newsletter hosted on Mailchimp after the actor used his email address. reusing stolen data to send fake emails claiming the company had a security problem.
The phishing email, accompanied by a supposed link to download an updated version of Trezor Suite hosted on a real phishing site, caused unsuspecting recipients to connect their wallets and enter the cluster. from seed into an app that looks like a trojan, allowing adversaries to transfer funds to wallets under their control.
“This attack is exceptional in its sophistication and well-planned with a high level of detail,” explains Trezor. “The scam app is a clone of Trezor Suite with very real functionality and also includes a web version of the app.”
“Mailchimp has confirmed that their service was compromised by an insider targeting crypto companies,” Trezor later tweeted. “We managed to use the phishing domain [trezor.us] offline”, warning users not to open any emails from the company until further notice.
The US company has so far not clarified whether the attack was carried out by “insiders”. It remains unclear how many other crypto platforms and financial institutions are affected by this incident.
The second confirmed casualty of the breach was Decentraland, a 3D virtual world browser-based platform, which on Monday revealed that “newsletter subscribers’ email addresses were leaked in a Mailchimp data breach.”
.