Mailchimp slips up again, suffers security breach after falling on social engineering banana skin

Mailchimp slips up again, suffers security breach after falling on social engineering banana skin

Mailchimp slips up again, suffers security breach after falling on social engineering banana skinMailchimp slips up again, suffers security breach after falling on social engineering banana skin

For the second time in less than a year, email newsletter service Mailchimp has found itself in the embarrassing position of admitting it has suffered a data breach.

Mailchimp says that a social engineering attack succeeded in tricking Mailchimp employees and contractors into handing over their login credentials. Those details were then successfully used by a hacker to access 133 Mailchimp accounts.

Mailchimp says that it contacted all affected account holders on January 12, less than 24 hours after the security breach was discovered.

EmailEmail
Sign up to our newsletter
Security news, advice, and tips.

One of those Mailchimp customers who appear to have been affected was WooCommerce, makers of a WordPress plugin that is popular with businesses operating online stores.

Woocommerce emailWoocommerce email
Woocommerce warns its subscribers that Mailchimp has suffered a security breach

WooCommerce contacted affected users warning them that some of their personal information had been exposed:

  • Their name
  • Their online store URL
  • Their address
  • Email address

Such information could clearly be exploited by attackers in, for instance, phishing attacks. No doubt WooCommerce, and other Mailchimp users, are less than impressed that their own customers have been put at risk due to Mailchimp’s security slip-up.

Mailchimp is no stranger to security breaches.

In March 2022, Mailchimp discovered that an attacker had managed to access a tool used by its customer support team, accessing 300 client accounts and successfully stealing the subscriber data from 102 of them.

Mailchimp customers who worked in the cryptocurrency and financial sectors found that their accounts were targeted on that occasion, opening opportunities for scammers to send out convincing (but malicious) emails to unsuspecting newsletter subscribers.

Then, as in the most recent security breach, the attacker used social engineering to dupe Mailchimp workers into handing over their login credentials.

Although Mailchimp appears to have acted relatively promptly in this instance, there must surely be questions asked as to whether it is doing enough to lock down access to its internal tools, and ensuring only those who are truly authorised are able to access them.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.
Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *