Mailchimp, the veteran email marketing platform, has confirmed that hackers used an internal tool to steal data from more than 100 of its clients — with the data being used to mount phishing attacks on the users of cryptocurrency services.
The breach was confirmed to the press by Mailchimp on Monday, but it had come to light over the weekend when users of the Trezor hardware cryptocurrency wallet reported being targeted by sophisticated phishing emails.
MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies.— Trezor (@Trezor) April 3, 2022
We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected. 1/
In a statement sent to The Verge, Mailchimp CISO Siobhan Smyth said that the company had become aware of the breach on March 26th when it detected unauthorized access of a tool used by the company’s customer support and account administration teams. Although Mailchimp deactivated the compromised employee accounts after learning of the breach, the hackers were still able to view around 300 Mailchimp user accounts and obtain audience data from 102 of them, Smyth said.
“We sincerely apologize to our users for this incident and realize that it brings inconvenience and raises questions for our users and their customers,” Smyth said. “We take pride in our security culture, infrastructure, and the trust our customers place in us to safeguard their data. We’re confident in the security measures and robust processes we have in place to protect our users’ data and prevent future incidents.”
However, details of the hack show that the compromise of Mailchimp’s internal tools was just one piece in a bigger puzzle. As Bleeping Computer reports, one of the stolen email lists was used to send a fake data breach notification to Trezor customers, prompting them to download a new version of the Trezor Suite desktop application. In fact, the email directed users to a phishing site that hosted a fake version of the application, designed to steal the seed phrase that would allow hackers to gain total control over a user’s cryptocurrency wallet. It’s currently unclear whether any Trezor users had funds stolen by the attack.
In a blog post published Monday, Trezor said that the attack was “exceptional in its sophistication and ... clearly planned to a high level of detail,” with the cloned version of the Trezor Suite app presenting a realistic functionality to anyone who installed it. SatoshiLabs, the makers of the Trezor wallet, have not yet responded to further questions sent by The Verge.
So far, Mailchimp’s analysis has concluded that the attackers focused on obtaining data from users in the cryptocurrency and finance sectors. Unfortunately for Trezor users — and for customers of every other organization whose data was compromised — it’s safe to say that a skilled threat actor now has knowledge of the users’ email contact details and potentially the type of crypto hardware and software they are using.
Users of Trezor devices have been advised to report any new phishing attempts directly to firstname.lastname@example.org. Mailchimp has stated that the owners of all other compromised accounts have been informed, so more notifications from affected entities will likely appear soon.