MailChimp breached, intruders conducted phishing attacks against crypto customers

Threat actors gained access to internal tools of the email marketing giant MailChimp to conduct phishing attacks against crypto customers.

During the weekend, multiple owners of Trezor hardware cryptocurrency wallets reported having received fake data breach notifications from Trezor, BleepingComputer first reported.

The fake data breach notification emails urged Trezort customers to reset the PIN of their hardware wallets by downloading malicious software that could have allowed attackers to steal the funds in the wallets.

Later Trazor reported that MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies. Trazor also took the phishing domain used by threat actors offline and launched an investigation to determine how many users have been impacted.

A statement shared by Mailchimp CISO Siobhan Smyth with TechCrunch revealed that the company discovered the security breach on March 26. A threat actor gained access to a tool used by the company’s customer support and account administration teams. The company was the victim of a social engineering attack aimed at its employees.

The attack resulted in the compromise of employee credentials.

“We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected,” Smyth said. ““When we become aware of any unauthorized account access, we notify the account owner and immediately take steps to suspend any further access,” Smyth added. “We also recommend two-factor authentication and other account security measures for our users as added measures to keep accounts and passwords secure.”

BleepingComputer states that threat actors compromised 319 MailChimp accounts and managed to export “audience data,” from 102 customer accounts.

The attackers also gained access to API keys for an undisclosed number of customers, then the company has disabled them.

Once obtained the API keys, threat actors would have conducted phishing campaigns without accessing MailChimp’s customer portal.

At this time company has already notified impacted customers, which are in the cryptocurrency and finance sectors.

Please vote Security Affairs as best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and other of your choice.
To nominate, please visit: https://forms.gle/4D4PygUVcNxFQ6iFA

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MailChimp)

[adrotate banner=”5″]

[adrotate banner=”13″]