Accounts of 133 corporate customers of email marketing service provider Mailchimp have been hacked after employees fell for a social media attack, the third time the company has been compromised in less than a year.
“On January 11, the Mailchimp Security team identified an unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration,” the company said in a statement. “The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.”
With access to customer accounts, the hackers can send out mass phishing messages.
Mailchimp is owned by Intuit. There is no evidence that this compromise affected Intuit systems or customer data beyond the 133 Mailchimp accounts, the company said.
According to TechCrunch, one of the victims is e-commerce platform WooCommerce. It quoted WooCommerce saying it was notified by Mailchimp that the breach may have exposed the names, store web addresses and email addresses of its customers. No customer passwords or other sensitive data was taken.
“After we identified evidence of an unauthorized actor, we temporarily suspended account access for Mailchimp accounts where we detected suspicious activity to protect our users’ data,” the statement says. “We notified the primary contacts for all affected accounts on January 12, less than 24 hours after initial discovery.
That afternoon, the company sent another email to affected accounts with steps to help users reinstate access to their Mailchimp accounts safely. Since then, Mailchimp said, it has been working with users directly to help them reinstate their accounts, answer questions, and provide any additional support they need.
In April 2022, the company acknowledged hackers had accessed Mailchimp’s customer support and account management tools to steal audience data and conduct phishing attacks. And last August, Mailchimp said it was victimized by a social media attack. “On August 8, our Security team became aware of an unauthorized actor accessing one of our tools used by customer-facing teams for customer support and account administration,” the company said at the time. “The incident was propagated by an unauthorized actor who conducted a social engineering attack on Mailchimp employees, and obtained access using employee credentials compromised in that social engineering attack.”
In that incident, 214 customer accounts were compromised, mainly companies related to cryptocurrency and finance.
“We know that incidents like this can cause uncertainty, and we’re deeply sorry for any frustration,” the company said of the most recent attack. “We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process.”
“The unauthorized access to 133 customer accounts is a very insignificant security incident for such a large company as Mailchimp,” commented Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network.
“The reported attack vector of social engineering and password reuse remains extremely efficient today. Many large businesses regularly fall victim to it, despite multilayered cyber-defense and most advanced security controls,” he said in an email. “Moreover, the reportedly compromised account of a technical support specialist likely had access to a much larger number of customer accounts, evidencing that the incident was timely detected and contained.”