This article is more than 1 year old
Mailchimp 'fesses up to second digital burglary in five months
Social engineering helped intruders break into customers' inboxes again
Email marketing service Mailchimp has confirmed intruders have gained access to more than 100 customer accounts after successfully deploying a social engineering attack.
This is the second data spill in five months and yet the company, bought by Intuit for $12 billion in September 2021, continues to tell customers – with a straight face – that it takes the "security of users' data seriously."
The latest digital burglary happened on January 11 when the resident security team spotted an "unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration," the company blog states.
The criminal used employee credentials to break into 133 Mailchimp customer accounts, though the business says there is no evidence currently that the compromise affected Intuit systems "or customer data beyond these accounts."
"After we identified evidence of an unauthorized actor, we temporarily suspended account access for Mailchimp accounts where we detected suspicious activity to protect our users' data," it says.
Mailchimp says it told the primary contacts for accounts on January 12 that their mail boxes had been accessed without permission.
No personal financial information was included in the data caught up in the break-in, and the business is not commenting further on the countermeasures being taken to galvanize security.
- The Guardian ransomware attack hits week two as staff told to work from home
- Email hijackers scam food out of businesses, not just money
- Rackspace rocked by 'security incident' that has taken out hosted Exchange services
- Intruders get their hands on user data in LastPass incident
One of the 133 accounts belongs to WooCommerce, provider of an open source e-commerce plugin for WordPress, as first noted by TechCrunch. The business has subsequently written to its own clients to confirm some of their details – name, store URL, address and email – were exposed.
Mailchimp suffered another break-in in August when it confirmed a criminal had accessed tools used by customer support and administration teams, via a social engineering attack, to gain entry to 214 Mailchimp accounts. In that incident, customer Digital Ocean decided to ditch Mailchimp's services.
Digital Ocean migrated services to an alternative provider and said a "very small" number of customers had seen crooks attempt to get into their accounts.
Clearly not all lessons that Mailchimp needed to learn from the first breach were taken on board. ®