On Monday, Mailchimp, an email marketing service, disclosed a data breach that compromised an internal tool, and the tool was used for unauthorised access to customer accounts and to execute phishing attacks. 

Bleeping Computer was the first to report this news. 

The company, which was bought by Intuit, a financial software firm, in September 2021, said that it got to know about the incident on March 26 when a malicious party accessed the customer support tool. 

“The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised,” Siobhan Smyth, Mailchimp’s chief information security officer, was quoted as saying.

Mailchimp said it was prompt to stop the access to the affected employee account; the stolen credentials were used to access 319 MailChimp accounts and also export the mailing lists relating to 102 accounts. 

The attacker could also access API keys associated with many customers; the company has deactivated the API keys to prevent the attackers from exploiting the API keys to carry out an email-based phishing campaign.

In the background of the attack, the company has recommended customers activate two-factor authentication to secure their accounts from takeover attacks. 

Tenzor, a cryptocurrency wallet company, said that it’s looking into a security incident originating from an opt-in newsletter hosted on Mailchimp after the actor remodelled the stolen data to send fake emails stating that the company had a security incident. 

The fake email that had a link to download an updated version of the Trezor Suite hosted on a phishing site induced unaware recipients to link their wallets and enter the seed phrased on the trojanized similar application, which allowed the attackers to steal funds from the wallet. 

This attack is exceptional in its sophistication and was clearly planned to a high level of detail,” Trezor explained. “The phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app.”

“Mailchimp have confirmed that their service has been compromised by an insider targeting crypto companies,” Trezor later tweeted. “We have managed to take the phishing domain [trezor.us] offline,” warning its users to refrain from opening any emails from the company until further notice.

The American company hasn’t clarified whether an insider executed the attack. It’s unclear how many cryptocurrency platforms and financial institutions are impacted by the incident

A second confirmed casualty of the breach is Decentraland, a 3D virtual world browser-based platform, which on Monday disclosed that its “newsletter subscribers’ email addresses were leaked in a Mailchimp data breach.”

Reference

https://thehackernews.com/2022/04/hackers-breach-mailchimp-email.html