Mailchimp, a platform for mass email and marketing automation, reported that it was hacked on January 11, with malicious actors obtaining access to information from 133 accounts. The information could be used to deliver unsolicited advertisements or targeted phishing attempts to account owners.
The company stated that its security team discovered a “unauthorized actor” gaining access to one of its internal systems used by Mailchimp customer-facing teams for customer assistance and account administration. This actor had carried out a social engineering attack against Mailchimp employees, gaining access to Mailchimp accounts using employee credentials obtained as part of that attack.
Attacks using social engineering differ from traditional hacking since they do not take use of technical flaws. Instead, dishonest individuals manipulate employees’ minds into divulging private information.
The 133 accounts could be mailing lists, meaning the bad guys may have acquired the email addresses of many more clients. One of the accounts was the open source e-commerce software WooCommerce. The e-commerce behemoth informed customers in a message that Mailchimp had informed them that the breach may have revealed their names, email addresses, and store web links. Customer passwords are allegedly still secure, though.
Market and consumer data expert Statista on Monday also sent out an email to customers informing them that while no password information was stolen, name and email information had been exposed in the hack.
There is “no evidence that this intrusion compromised Intuit systems or customer data beyond these Mailchimp accounts,” according to Mailchimp. In its note, the corporation didn’t specify what kind of data was stolen in the hack. However, given that Mailchimp typically only handles the distribution of newsletters and promotional emails, it’s probable that the bad guys did not manage to get their hands on confidential account information and phone numbers.
“After we uncovered evidence of an unauthorised actor, we temporarily suspended account access for Mailchimp accounts where we noticed suspicious behaviour to protect our users’ data. “On January 12, less than 24 hours after initial discovery, we alerted the primary contacts for all compromised accounts,” the business writes in a statement about the incident.
This isn’t the first time Mailchimp’s security has been compromised. Last August, the email marketing firm was the target of a similar social engineering operation in which malicious actors stole the credentials of the company’s customer care personnel and gained access to Mailchimp’s internal tools.