Stolen Cryptocurrency Client Mailing List Information • The Registry

Mailchimp has confirmed that an attacker gained access to one of its internal tools and used it to steal data belonging to more than 100 high-value customers.

The customers were all from the cryptocurrency and finance industries, according to Mailchimp. “Our findings show that this was a targeted incident,” CISO of the mailing list giant Siobhan Smyth said in a statement to The register Monday.

Intrusion rumors surfaced on Twitter over the weekend: On Sunday, cryptocurrency hardware wallet maker Trezor, whose website is, warned someone was emailing from noreply[at]trezor[dot]us containing a link to malware designed to collect information from wallet owners.

Less than an hour later, Trezor noted it managed to deactivate the domain names associated with the scam and MailChimp said its service had been “compromised by an insider targeting crypto companies”.

According to Trezor, a fraudster sent by e-mail its mailing list subscribers claiming that there had been a security breach and that a new version of Trezor’s software needed to be downloaded and run. The post linked to what was supposed to be the latest Trezor Suite app, but the executable was actually fake, and instead sought to obtain a victim’s recovery seed for their wallet and possibly other information.

Presumably, someone compromised Mailchimp to extract the email addresses of everyone who had signed up for Trezor’s Mailchimp-managed mailing list, then sent the phishing mail to those addresses. We’re told the fraudster accessed some 319 Mailchimp accounts and exfiltrated “audience data” from 102 of them.

According to Smyth, Mailchimp security engineers became aware of the breach on March 26 after a cybercriminal gained access to a tool that Mailchimp’s customer-facing teams use for customer support and administration. accounts.

“The incident was propagated by an outside actor who successfully carried out a social engineering attack against Mailchimp employees, which compromised employee credentials,” she explained. In other words, an outside person took control of a worker’s internal system account and used it to obtain Mailchimp account data and subscriber contact information.

The email delivery company has terminated access to the compromised employee account and “has taken steps to prevent other employees from being affected,” Smyth added.

The company has opened an investigation into what happened and has also hired digital forensics experts to get help. And during this investigation, Mailchimp determined that API keys for certain accounts were potentially accessible by the intruder. These API keys could be used by an attacker to launch more phishing campaigns against Mailchimp mailing list subscribers.

“Out of an abundance of caution, we’ve disabled these API keys, put in place safeguards so they can’t be re-enabled, and notified affected users,” Smyth said.

In addition to saying that Mailchimp notifies account owners of any unauthorized access to an account as soon as possible, Smyth recommended people to adopt two-factor authentication to keep their accounts safe online.

“We sincerely apologize to our users for this incident and realize that it brings inconvenience and raises questions for our users and their customers,” she added. “We are confident in the robust security measures and processes we have in place to protect our users’ data and prevent future incidents.”

Mailchimp is just the latest major company to experience a computer security breach in recent months. He now joins the ranks of software consultancy Globant, mattress supplier Emma Sleep Company and identity service provider Okta, among others. ®