This attack follows another similar one from last year (Express photo)
Listen to this articleYour browser does not support the audio element.
Mass email and marketing automation platform Mailchimp has confirmed that it was hacked on January 11, with bad actors gaining access to information from 133 accounts. The data can potentially be used to send account owners unsolicited ads or targeted phishing attacks.
The company said in a blog post that its security team detected an “unauthorised actor” accessing one of its internal tools used by Mailchimp customer-facing teams for customer support and account administration. This actor had conducted a social engineering attack on Mailchimp employees, obtaining access to Mailchimp accounts using employee credentials compromised in that attack.
You have exhausted your monthly limit of free stories.
Read more stories for free with an Express account.
Social engineering attacks defer from outright hacking as they do not exploit technical vulnerabilities. Instead, bad actors deceive employees to give up confidential data through psychological manipulation.
Those 133 accounts could comprise mailing lists so the email addresses of many more customers may have been obtained by the bad actors. Open source e-commerce platform, WooCommerce, was one of those accounts. In a note to customers, the e-commerce giant said it was notified by Mailchimp that the breach may have exposed the names, email addresses, and store web addresses of its customers. However, customer passwords are reportedly still safe.
Market and consumer data specialist Statista on Monday also sent out an email to customers saying that name and email details had been exposed in the breach, though no password information was stolen.
Mailchimp says that “there is no evidence that this compromise affected Intuit systems or customer data beyond these Mailchimp accounts.” The company wasn’t particular about the kind of data that was stolen with the breach in its note. But considering that Mailchimp is usually only responsible for sending newsletters and promo emails, it’s likely that the bad actors did not make away with sensitive account details and phone numbers.
“After we identified evidence of an unauthorized actor, we temporarily suspended account access for Mailchimp accounts where we detected suspicious activity to protect our users’ data. We notified the primary contacts for all affected accounts on January 12, less than 24 hours after initial discovery,” says the company in its statement concerning the hack.
Story continues below this ad
This isn’t the first time Mailchimp has been breached. The email marketing service was a victim of a similar social engineering attack last August where bad actors obtained credentials of the company’s customer support staff, gaining access to Mailchimp’s internal tools.
Technology on smartphone reviews, in-depth reports on privacy and security, AI, and more. We aim to simplify the most complex developments and make them succinct and accessible for tech enthusiasts and all readers. Stay updated with our daily news stories, monthly gadget roundups, and special reports and features that explore the vast possibilities of AI, consumer tech, quantum computing, etc.on smartphone reviews, in-depth reports on privacy and security, AI, and more. We aim to simplify the most complex developments and make them succinct and accessible for tech enthusiasts and all readers. Stay updated with our daily news stories, monthly gadget roundups, and special reports and features that explore the vast possibilities of AI, consumer tech, quantum computing, etc.
