SecureWorld News

MailChimp Suffers Data Breach in Latest Social Engineering Attack

Written by Drew Todd | Fri | Jan 20, 2023 | 3:13 PM Z

Popular email marketing service MailChimp recently fell victim to another data breach, this time caused by a successful social engineering attack on its employees and contractors.

The company stated that an unauthorized third party was able to gain access to select MailChimp accounts using employee credentials that were compromised in the attack.

The incident was limited to 133 accounts, and there is no evidence that this compromise affected any other systems or customer data beyond these MailChimp accounts. The company temporarily suspended access for accounts where suspicious activity was detected in order to protect user data.

The company has apologized for the incident and stated that it is working with its users directly to help them reinstate their accounts, answer questions, and provide any additional support they need.

The investigation into the incident is ongoing, and the company has urged its users to contact ciso@mailchimp.com if they have any questions regarding the incident.

Graham Cluley, a well-known security expert, reported that one of the MailChimp customers that appears to have been affected was WooCommerce, makers of a WordPress plugin that is popular with businesses operating online stores.

WooCommerce contacted affected users warning them that some of their personal information had been exposed, such as their name, online store URL, address, and email address. Such information could be exploited by threat actors in phishing attacks.

This is, unfortunately, the second security incident that MailChimp has suffered in less than a year. In March 2022, MailChimp discovered that an attacker had managed to access a tool used by its customer support team, accessing 300 client accounts and successfully stealing the subscriber data from 102 of them.

MailChimp customers who worked in the cryptocurrency and financial sectors found that their accounts were targeted on that occasion, opening opportunities for scammers to send out convincing (but malicious) emails to unsuspecting newsletter subscribers.

The recent incident serves as a reminder that social engineering attacks can be very effective, and underscores the importance of companies having proper security protocols in place and training employees to be aware of these types of attacks.

Follow SecureWorld News for more stories related to cybersecurity.