Hackers targeted crypto customers using MailChimp’s internal infrastructure

Hackers got access to internal customer support and account management systems at email marketing firm MailChimp on Sunday, stealing audience data and launching phishing attacks.

Owners of Trezor hardware bitcoin wallets got phishing notifications stating the business had suffered a data breach, according to postings on Twitter early Sunday morning.

Customers of Trezort were invited to reset their hardware wallet PINs by downloading malicious software, which allowed for the theft of cryptocurrency stored on the device.

Fake Trezor data breach notification
Fake Trezor data breach notification
Source: Twitter

Trezor later revealed that the phishing attack was carried out by threat actors targeting the bitcoin business, who had hacked MailChimp.

The bitcoin and finance industries were targeted by the MailChimp attack

MailChimp verified that the breach was more serious than just threat actors gaining access to Trezor’s account.

According to MailChimp, several of their employees were victims of a social engineering attack, which resulted in their credentials being stolen.

MailChimp CISO Siobhan Smyth, On March 26, our Security team became aware of a hostile actor accessing one of our internal tools used by customer-facing teams for customer assistance and account administration.

The incident was spread by an external actor who successfully launched a social engineering attack on Mailchimp employees, culminating in the loss of employee credentials.

MailChimp responded quickly to the matter by cancelling access to the compromised employee accounts and taking efforts to ensure that no other employees were affected.

These credentials were used to log into 319 MailChimp accounts and export audience data from 102 client accounts, most likely mailing lists.

The threat actors also acquired access to API keys for an unspecified number of clients, which have since been removed and are no longer usable.

API keys are access tokens that allow MailChimp customers to manage their accounts and run marketing campaigns directly from their own websites or platforms.

Without accessing MailChimp’s customer interface, a threat actor can develop custom email campaigns, such as phishing campaigns, and distribute them to mailing lists using these obtained API credentials.

Smyth told that the threat actors accessed consumers in the bitcoin and finance industries, and that all of the compromised account holders had been alerted.

MailChimp claims to have received reports of this access being used to execute phishing campaigns against stolen contacts, but no details about the attacks have been released.

For added security, MailChimp recommends that all clients use two-factor authentication on their accounts.

This attack is reminiscent of recent breaches by the Lapsus$ hacking organisation, who employed social engineering, malware, and credential theft to obtain access to Nvidia, Samsung, Microsoft, and Okta, among others.

Similar to MailChimp, the Okta breach was carried out through social-engineering a contractor with access to internal customer service and account management systems.

Share This Post:

Arjun Gopireddy
Arjun Gopireddy
Arjun is an Information Security Specialist, and his main role is to support our clients by identifying and advising on mitigating information security risks. Holding a Master’s degree in Cyber Security (UK) and Engineering Management (USA) his knowledge and skills are shared with our clients. Outside of work Arjun likes watching movies, travelling, playing cricket, football and doing adventurous things such as sky diving. He is the biggest fan of Yuvraj Singh – a former Indian international cricketer.
What our clients say:
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue