Hat trick: Mailchimp hacked for the third time in one year
Email marketing platform Mailchimp, owned by Intuit Inc. since September 2021, has achieved the dubious honor of a cybersecurity fail hat trick – it has been hacked for the third time in a year.
Mailchimp’s latest data breach was detected on Jan. 11 when an authorized actor was found to be accessing tools used by customer-facing teams for customer support and account administration. The attack vector involved the hacker successfully targeting Mailchimp employees and contractors with a social engineering attack to gain access to select Mailchimp accounts using employee credentials compromised in the attack.
So far, the company has only found evidence that 133 Mailchimp accounts were compromised. The number does not sound significant but presuming they’re corporate accounts, a single Mailchimp account holder could be serving emails to millions of people.
MailChimp temporarily suspended access to affected accounts and notified affected account holders of the breach on Jan. 12, less than 24 hours after the breach was detected.
“We know that incidents like this can cause uncertainty, and we’re deeply sorry for any frustration,” Mailchimp stated. “We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process.”
Incompetence causes uncertainty and Inuit may be regretting the day that it agreed to pay $12 billion to acquire Mailchimp. Companies are regularly hacked, but three times in twelve months points to a cultural issue at the company, particularly given how the attacks occur.
Previous Mailchimp breaches include one in March that affected Trezor cryptocurrency wallet service users – the attack vector was social engineering targeting Mailchimp employees. Another hack affected customers of DigitialOcean Holdings Inc. in August and the attack vector was yet again a social engineering attack on Mailchimp employees.
“Within one year, MailChimp has suffered three data breaches as a result of social engineering attacks, with one of the worst-case scenarios – a breach that seems to be very similar to previous ones,” Almog Apirion, chief executive officer and co-founder of zero trust access company Cyolo Ltd., told SiliconANGLE. “Companies should prioritize securing identities – the new perimeter for many organizations.”
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG commented that the latest Mailchimp breach shows how clever threat actors can be in adapting existing social engineering tactics.
“It’s not enough simply to educate employees and partners sporadically about common social engineering tactics and hope that this makes a significant impact on incident prevention or mitigation,” Shadabi explained. “The entire corporation needs to adopt a culture of cybersecurity in which speed and rapidity are valued less than safety and sensible inspection of all requests for information and action.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.