Mailchimp suffers third breach in 12 months

Email marketing specialist Mailchimp has suffered its third data breach arising from a social engineering attack in the space of a year, but on this occasion has won some praise for its swift and candid response to the incident.

In a statement first published on Friday 13 January, later updated on Tuesday 17 January, Mailchimp said that it first identified the breach on Wednesday 11 January. The attack saw an unauthorised party access customer support and admin tools by phishing its employees and stealing their credentials, before accessing data on 133 customers.

Mailchimp said it suspended account access for affected accounts immediately and notified its primary contacts for those accounts within 24 hours. It has since been working with them to reinstate access safely and provide needed support.

“Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts. There is no evidence that this compromise affected Intuit systems or customer data beyond these Mailchimp accounts,” the company said.

“We know that incidents like this can cause uncertainty, and we’re deeply sorry for any frustration. We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process,” said the company, which has also provided an email address for affected users to contact ([email protected]).

While Mailchimp has on this occasion moved quite quickly, the latest incident to affect it seems to maintain a pattern of internal compromise at the organisation.

In April 2022, cryptocurrency companies including Bitcoin hardware wallet maker Trezor were targeted by phishing campaigns after a threat actor breached Mailchimp. This attack was also the result of malicious access to an internal customer support tool, as confirmed by its then CISO Siobhan Smyth.

The second incident, which appears to have cost Smyth her job – she now works as CIO at a US-based healthcare company – unfolded in August 2022, also targeted organisations working in the crypto sector that were customers of DigitalOcean, a specialist in cloud infrastructure services. DigitalOcean, which ditched Mailchimp following the attack, said that it understood this attack had also been the result of an attacker compromising Mailchimp’s internal tools.

Ultimately, this attack was deemed to be the work of Scatter Swine, aka 0ktapus, a highly successful campaign of supply chain compromises that exploited the branding of identity and access management (IAM) specialist Okta. Somewhat ironically, Okta’s subsequent investigation revealed evidence that the group was using infrastructure provided by a provider called Bitlaunch, which itself used DigitalOcean’s services.

Eset global cyber security advisor Jake Moore said that the incident was highly worrying: “2023 is shaping up to be the year that attackers don’t hack in, they log in. Social engineering hacks targeting third-party tools are becoming more prevalent and sophisticated, and in recent months we have seen some big names being targeted with huge results,” he said.

“Although this may only seem like a very small number of customers that have had details compromised, this is still a very worrying breach of data…No doubt attempts would have been made to siphon more data than was stolen, but this will still land as an embarrassment for the company which is known for storing large amounts of client data along with their client’s personally identifiable information.”

ImmuniWeb founder Ilia Kolochenko said: “The unauthorised access to 133 customer accounts is a very insignificant security incident for such a large company as Mailchimp.

“Transparent disclosure of the incident rather evidences a well-established DFIR process and high standards of ethics at Mailchimp, as most businesses of similar size will likely try to find a valid excuse to avoid mandatory disclosure prescribed by law or imposed by contractual duties.”

Kolochenko added that the supposed attack vector was an exceedingly efficient one, claiming multiple victims all the time, with even the best multi-layered defences and advanced controls frequently ineffective against an honest mistake. He said Mailchimp had clearly detected and contained the problem quickly, given the customer support agent or agents compromised would have certainly had access to the data of many more customers.

One organisation known to have been affected in the latest attack is WooCommerce, an open source e-commerce platform used by independent micro retailers, which notified its customers shortly after.

In a copy of the notification email shared via Twitter, WooCommerce said it understood the breach may have resulted in some information, such as customer names, store URLs, and postal and email addresses exposed, but no payment data or passwords.

“There is no indication the person who engaged in unauthorised access to Mailchimp has taken any action with the exposed information,” the company said.

“We have confirmed with Mailchimp that our account is secure and follows all security best practices, and are working with them to better understand the cause of this breach and what they’re doing to prevent similar incidents in the future. We apologise for any issues or concerns this may have caused.”