Mailchimp: Crook stole cryptocurrency clients' mailing-list subscriber info

Mailchimp has confirmed a miscreant gained access to one of its internal tools and used it to steal data belonging to 100-plus high-value customers.

The clients were all in cryptocurrency and finance-related industries, according to Mailchimp. "Our findings show that this was a targeted incident," the mailing-list giant's CISO Siobhan Smyth said in a statement to The Register on Monday.

Rumors of the intrusion surfaced on Twitter over the weekend: on Sunday, hardware cryptocurrency wallet maker Trezor, whose website is trezor.io, warned someone was sending out emails from noreply[at]trezor[dot]us containing a link to malware designed to harvest wallet owners' information.

Less than an hour later, Trezor said it managed to get the domain names associated with the scam disabled, and that MailChimp said its service had been "compromised by an insider targeting crypto companies."

According to Trezor, a fraudster emailed its mailing-list subscribers claiming there had been a security breach, and that a new version of Trezor's software had to be downloaded and run. The message linked to what was said to be the latest Trezor Suite application, but the executable was in fact bogus, and instead sought to obtain a victim's recovery seed for their wallet and possibly other information.

Presumably, someone compromised Mailchimp to extract the email addresses of everyone who had signed up to Trezor's Mailchimp-managed mailing list, and then spammed out the phishing mail to those addresses. We're told the fraudster accessed some 319 Mailchimp accounts, and exfiltrated "audience data" from 102 of them.

According to Smyth, Mailchimp's security engineers became aware of the break-in on March 26 after a cybercriminal gained accessed to a tool that the Mailchimp customer-facing teams use for customer support and account administration.

"The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised," she explained. In other words, someone outside gained control of a worker's internal system account and used that to get at Mailchimp account data and subscribers' contact info.

The email-slinging company terminated access to the compromised employee account, and "took steps to prevent additional employees from being affected," Smyth added.

• IcedID malware, in the hijacked email thread, with the insecure Exchange servers
• This browser-in-browser attack is perfect for phishing
• How CAPTCHAs can cloak phishing URLs in emails
• Borat RAT: Multiple threat of ransomware, DDoS and spyware

The company began an investigation into what happened, and also hired digital forensic experts for help. And during the course of that probe, Mailchimp determined that some accounts' API keys were potentially accessed by the intruder. These API keys could be used by an attacker to launch more phishing campaigns against Mailchimp mailing list subscribers.

"Out of an abundance of caution, we disabled those API keys, implemented protections so they can't be re-enabled, and notified affected users," Smyth said. 

In addition to saying that Mailchimp notifies account owners of any unauthorized account access as soon as possible, Smyth recommended netizens adopt two-factor authentication to keep their online accounts secure.

"We sincerely apologize to our users for this incident and realize that it brings inconvenience and raises questions for our users and their customers," she added. "We're confident in the security measures and robust processes we have in place to protect our users' data and prevent future incidents."

Mailchimp is just the latest big firm to experience a computer security breach in recent months. It now joins the ranks of software consultancy Globant, mattress vendor Emma Sleep Company, and identity services provider Okta, among others. ®