Mailchimp suffers social engineering attack, says breach exposed customer data

Social engineering attacks defer from outright hacking as they do not exploit technical vulnerabilities. Instead, bad actors deceive employees to give up confidential data through psychological manipulation.

Those 133 accounts could comprise mailing lists so the email addresses of many more customers may have been obtained by the bad actors. Open source e-commerce platform, WooCommerce, was one of those accounts. In a note to customers, the e-commerce giant said it was notified by Mailchimp that the breach may have exposed the names, email addresses, and store web addresses of its customers. However, customer passwords are reportedly still safe.

Market and consumer data specialist Statista on Monday also sent out an email to customers saying that name and email details had been exposed in the breach, though no password information was stolen.

Mailchimp says that “there is no evidence that this compromise affected Intuit systems or customer data beyond these Mailchimp accounts.” The company wasn’t particular about the kind of data that was stolen with the breach in its note. But considering that Mailchimp is usually only responsible for sending newsletters and promo emails, it’s likely that the bad actors did not make away with sensitive account details and phone numbers.

“After we identified evidence of an unauthorized actor, we temporarily suspended account access for Mailchimp accounts where we detected suspicious activity to protect our users’ data. We notified the primary contacts for all affected accounts on January 12, less than 24 hours after initial discovery,” says the company in its statement concerning the hack.

This isn’t the first time Mailchimp has been breached. The email marketing service was a victim of a similar social engineering attack last August where bad actors obtained credentials of the company’s customer support staff, gaining access to Mailchimp’s internal tools.