Dive Brief:
- Mailchimp on Tuesday disclosed a security incident in which an unauthorized actor accessed 133 customer accounts after launching a social-engineering attack against company employees and contractors, the company said in a blog post.
- During an attack discovered Jan. 11, the actor was able to gain access to a company tool normally used for customer support and account administration. The attack allowed the actor to compromise employee credentials.
- Mailchimp temporarily suspended accounts where it saw suspicious activity and notified the primary contacts on the customer accounts on Jan. 12. On Tuesday, Mailchimp began to contact customers to begin to reinstate those accounts.
Dive Insight:
The incident marks the second attack against Mailchimp since August, when a similar attack was launched as a way to target the company’s crypto industry users. During the August attack, at least 214 user accounts were impacted.
A spokesperson for Mailchimp declined to comment on social media posts and customer emails by numerous organizations indicating they were compromised during the attack earlier this month.
“While we do not share customer information as a matter of course, we can share that no credit card or password information was compromised as a result of this incident,” a Mailchimp spokesperson said via email. “Our investigation into the matter is ongoing, and includes identifying measures to further protect our platform.”
The spokesperson added the company would not publicly comment on what specific measures it was taking to enhance security. In the blog post, Mailchimp said there is no evidence the compromise affected its parent company Intuit’s systems or customer data beyond the Mailchimp accounts.
Ant Allan, VP analyst at Gartner, blamed the repeated attacks on an over reliance on passwords as the sole authentication method.
“Stolen credentials are the major cause of data breaches,” Allan said via email. “MFA is no longer a best practice approach; it is a minimum good practice.”
A number of customers both in the crypto industry and other organizations have confirmed being impacted by the hack.
WooCommerce said it was notified on Jan. 13 about the attack, as the company uses Mailchimp to send a newsletter and email communications to customers.
“The impact has not affected any data stored by WooCommerce.com or WordPress.com,” a WooCommerce spokesperson said in a statement. “No store or customer data hosted by WooCommerce has been impacted.”
WooCommerce said it has not asked customers to take any specific action as no passwords or sensitive user data was compromised. The company said it has been in contact with Mailchimp about the breach and was assured the account is now secure.
Officials at Fantom, a smart contract platform, confirmed they were impacted by the attack and said there was an unauthorized export of audience data on Jan. 10, according to a blog post. Fantom said that Mailchimp was still investigating whether the actor actually downloaded the data.
Fantom said most of the data it collects involves email addresses and some names, however for a small number of customers there is latitude and longitude information about where emails were opened as well as the country or region they are located and the times the emails were opened.
