Mailchimp breach feels like deja vu

A threat actor successfully used compromised employee credentials to gain access to 133 accounts on Mailchimp, the mainstream Intuit-owned email marketing platform, in a security incident that recently came to light.

“On January 11, the Mailchimp Security team identified an unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration,” said Mailchimp in a blog post. “The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.”

The blog further asserts the company’s compromise had not affected other Intuit systems or other Mailchimp customer data.

It is noted that very little detail is shared about the attack, such as the specific social engineering tactic used against Intuit’s employees, who might be responsible for the attack, or how long the intruder was in the company’s systems.

According to TechCrunch, who first reported the incident, Mailchimp detected the intruder while accessing one of the tools used by its customer support and account administration. Upon discovery of the targeted attack, it suspended the affected accounts temporarily and reached out to their owners regarding the breach.

“That afternoon, we sent another email to affected accounts with steps to help users reinstate access to their Mailchimp accounts safely. Since then, we’ve been working with our users directly to help them reinstate their accounts, answer questions, and provide any additional support they need.”

One of the 133 accounts affected belonged to WooCommerce, an immensely popular e-commerce plugin for WordPress with more than five million customers. TechCrunch said customer names, web store addresses, and customer email addresses might have been exposed in the compromise.

This latest incident with Mailchimp definitely calls back to the April 2022 breach when threat actors were able to breach 319 of its client accounts, mostly belonging to companies in the cryptocurrency and finance industries. Cryptocurrency wallet company Trezor had taken to Twitter to let followers know some of its services were also affected by the Mailchimp compromise.

Trezor said then, “Mailchimp have confirmed that their service has been compromised by an insider targeting crypto companies. We have managed to take the phishing domain offline.”

Since this attack, Mailchimp said it had implemented “an additional set of enhanced security measures”, but TechCrunch noted the company wasn’t specific about these measures.

“We know that incidents like this can cause uncertainty, and we’re deeply sorry for any frustration,” Mailchimp said. “We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.