Mailchimp, the newsletter and email marketing giant, says that dozens of customers’ data were exposed when the company suffered a data breach. It’s the second time the company’s been hacked in the past six months — and this breach seems identical to the first one.
According to a blog post by the company, Mailchimp’s security team detected an unauthorized actor accessing one of its internal tools used by Mailchimp’s customer-facing team for customer support and account administration.
Mailchimp claims the hacker used a social engineering attack to target its contractors and employees and used the obtained employee passwords to gain access to data on 133 Mailchimp accounts.
The company said it notified the owners of the compromised accounts but didn’t disclose how long the intruder had access to their systems.
Since it’s easier to obtain sensitive data by tricking an employee than to exploit a vulnerability in a well-defended system, it’s mandatory to protect businesses from social engineering attacks.
To perform a social engineering attack, the malicious actors use manipulation techniques by email, text, or phone to obtain private information, like passwords.
WooCommerce, an e-commerce giant with over 5 million customers, maintains popular open-source tools for small businesses and entrusts Mailchimp with sending emails to its customers, is the owner of one of the compromised accounts.
While informing its customers about the incident, WooCommerce said that Mailchimp notified the company a day later, saying that the breach may have exposed store web addresses, names, and email addresses of its customers.
The last time Mailchimp fell victim to a social engineering attack, the company disclosed that the malicious actors gained access to their internal tools to conduct phishing attacks and steal its customers’ data.
Some 214 Mailchimp accounts were compromised during the first breach, mainly finance and cryptocurrency-related ones. DigitalOcean, a cloud giant, confirmed that its account was compromised in the attack and harshly criticized how Mailchimp handled the breach.
Even though Mailchimp said it had applied “an additional set of enhanced security measures” after the August breach, it’s unclear if the company properly implemented them or if they failed to protect the company.
In April 2022, hackers used similar methods to steal data from over 100 of Mailchimp’s clients, including Trezor, a cryptocurrency wallet maker. The malicious actors then launched a phishing attack using Trezor’s compromised newsletter hosted on Mailchimp.
In a blog post, Trezor warned its users of the attacks, teaching them how to spot a phishing attack and protect themselves.
It’s unclear who’s responsible for cybersecurity at Mailchimp after its chief information security officer, Siobhan Smyth, departed shortly after the August incident.
Read More Software News: