Email marketing service Mailchimp on Monday revealed a data breach that resulted in the compromise of an internal tool to gain unauthorized access to customer accounts and stage phishing attacks.
The development was first reported by Bleeping Computer.
The company, which was acquired by financial software firm Intuit in September 2021, told the publication that it became aware of the incident on March 26 when it became aware of a malicious party accessing the customer support tool.
“The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised,” Siobhan Smyth, Mailchimp’s chief information security officer, was quoted as saying.
Although Mailchimp stated it acted quickly to terminate access to the breached employee account, the siphoned credentials were used to access 319 MailChimp accounts and further export the mailing lists pertaining to 102 accounts.
The unidentified actor is also believed to have gained access to API keys for an unspecified number of customers, which the company said have been disabled, preventing the attackers from abusing the API keys to mount email-based phishing campaigns.
images from Hacker News