Email marketing firm MailChimp disclosed on Sunday that they had been hit by hackers who gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks.
The data breach was confirmed to the press by Mailchimp on Monday, but it had come to light over the weekend when users of the Trezor hardware cryptocurrency wallet reported being targeted by sophisticated phishing emails.
MailChimp has confirmed that the data breach was more significant than just Trezor's account being accessed by threat actors.
According to MailChimp, some of their employees fell for a social engineering attack that led to the theft of their credentials.
"On March 26, our Security team became aware of a malicious actor accessing one of our internal tools used by customer-facing teams for customer support and account administration," MailChimp CISO, Siobhan Smyth, had informed BleepingComputer.
"The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised."
"We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected."
These credentials were used to access 319 MailChimp accounts and to export "audience data," likely mailing lists, from 102 customer accounts.
In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.
Application Programming Interface (API) keys are access tokens that allow MailChimp customers to manage their accounts and perform marketing campaigns directly from their own websites or platforms.
Using these compromised API keys, a threat actor can create custom email campaigns, such as phishing campaigns, and send them to mailing lists without accessing MailChimp's customer portal.
MailChimp has notified all of the compromised account holders have been notified and that the threat actors accessed customers in the cryptocurrency and finance sectors.
MailChimp says that they received reports of this access being used to conduct phishing campaigns against stolen contacts but have not disclosed information about those attacks.
Mailchimp would not say how many other cryptocurrency services or financial institutions were affected by the incident.
This data breach is reminiscent of recent breaches by the Lapsus$ hacking group, who used social engineering, malware, and credential theft to gain access to numerous well-known companies, including Nvidia, Samsung, Microsoft, and Okta.
The Okta data breach was accomplished through a similar method as MailChimp, by social-engineering a contractor who had access to internal customer support and account management systems.
Armoryze security team recommends that all MailChimp impacted customers should enable two-factor authentication on their accounts for further protection.