Mailchimp says an internal tool was used to breach hundreds of accounts

Email marketing giant Mailchimp has confirmed a data breach after malicious hackers compromised an internal company tool to gain access to customer accounts.

In a statement given to TechCrunch, Mailchimp CISO Siobhan Smyth said the company became aware of the intrusion on March 26 after it identified a malicious actor accessing a tool used by the company’s customer support and account administration teams. Access was gained following a successful social engineering attack, a type of attack that exploits human error and uses manipulation techniques to gain private information, access or valuables.

“We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected,” Smyth said.

But not quickly enough, as hackers viewed approximately 300 Mailchimp accounts, and successfully exported audience data from 102 of those, the company said. Mailchimp declined to say exactly what data was accessed but told TechCrunch that the hackers targeted customers in the cryptocurrency and finance sectors. In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, allowing the attackers to potentially send spoofed emails, but which have now been disabled and can no longer be used. But Smyth said that Mailchimp received some reports of the hackers using the information they obtained from user accounts to send phishing campaigns to their contacts.

“When we become aware of any unauthorized account access, we notify the account owner and immediately take steps to suspend any further access,” Smyth told TechCrunch. “We also recommend two-factor authentication and other account security measures for our users as added measures to keep accounts and passwords secure.”

Smyth declined to answer our questions about what, if any, additional security measures Mailchimp is taking to prevent future attacks.

The incident, first reported by Bleeping Computer, came to light over the weekend after cryptocurrency wallet maker Trezor took to Twitter to confirm that its users had been the target of phishing emails as a result of a breach at Mailchimp, which Trezor uses for sending newsletters to customers. These malicious emails prompted Trezor users to reset their hardware wallet PINs by downloading malicious software, which if installed could have allowed hackers to steal customers’ crypto.

Mailchimp would not say how many other cryptocurrency services or financial institutions were affected by the incident.