Hacker accessed 319 crypto- and finance-related Mailchimp accounts, company said

Email marketing firm Mailchimp announced on Monday that a hacker breached its internal tools and managed to gain access to 319 Mailchimp accounts for companies in the cryptocurrency and finance industries. 

Of those 319 accounts accessed, the hacker exported audience data from 102. 

Siobhan Smyth, Mailchimp’s chief information security officer, told The Record in a statement that on March 26, their security team “became aware of a malicious actor accessing one of our internal tools used by customer-facing teams for customer support and account administration.” 

“The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised. We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected,” Smyth said, noting that they hired “outside forensic counsel” to examine the breach.

“Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance, all of whom have been notified. We also determined that some accounts’ API keys posed a potential vulnerability. Out of an abundance of caution, we disabled those API keys, implemented protections so they can’t be re-enabled, and notified affected users.” 

Smyth added that they have received reports of the malicious actor using the information they obtained from user accounts to send phishing campaigns to their contacts. 

On Sunday morning, popular cryptocurrency wallet company Trezor took to Twitter to say that some of its services were compromised through the Mailchimp incident.

“Mailchimp have confirmed that their service has been compromised by an insider targeting crypto companies. We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected,” the company said.

“We will not be communicating by newsletter until the situation is resolved. Do not open any emails appearing to come from Trezor until further notice. Please ensure you are using anonymous email addresses for bitcoin-related activity.”

Trevor disabled several of its domains as a result of the hack. The company did not respond to requests for comment about their claim that the attack was due to an “insider” as opposed to someone who stole the credentials of a Mailchimp employee. 

It is still unclear how many other cryptocurrency services or financial institutions were affected by the incident. 

Smyth said that since the attack, they have been notifying the account owners and immediately take steps to suspend any further access when they become aware of any unauthorized account access. 

The company urged its customers to use two-factor authentication and other account security measures “as added measures to keep accounts and passwords secure.” 

“We sincerely apologize to our users for this incident and realize that it brings inconvenience and raises questions for our users and their customers. We’re confident in the security measures and robust processes we have in place to protect our users’ data and prevent future incidents,” Smyth said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.