Beleaguered email marketing automation service Mailchimp is dealing with the fallout of another security breach, as its customer service tools were once again hijacked by attackers looking to phish their clients.
This time out at least 133 Mailchimp customers were recipients of official-looking phishing emails and messages originating from the platform’s compromised customer support tools. Several big names, such as WooCommerce, have also come forward to say that the attackers absconded with stored customer email lists and possibly other information kept on the platform.
Mailchimp has now suffered three security breaches of this sort in about a year’s time.
Mailchimp customer support tools repeatedly hijacked by phishing crews
The most recent security breach incident at Mailchimp took place on January 12. The company says that it was able to contain it by the end of the day, but a substantial number of clients were targeted before it was taken care of. Mailchimp says that those that were impacted have been contacted and asked to reset their passwords, and may have had their accounts temporarily suspended until this was done.
The attack did not appear to compromise customer login information directly, but the hackers were able to use Mailchimp’s internal tools to send authentic-looking phishing messages that would be more likely to ensnare victims. This attack was a little smaller than the two prior security breaches, which played out in very similar ways and involved several hundred additional customers. At least one of those attacks focused on Mailchimp clients in the crypto business, however; it is unclear if there was such a focus in this incident.
Social engineering was used to gain access to the customer support tools in the prior attacks. That appears to be the case once again, and it indicates a serious lack of training or security protocols at the company. Adding to the concerns is the fact that Mailchimp’s CISO left the company in the wake of the last security breach (in August 2022), and a new one does not appear to have been appointed yet. The company is currently facing a class action suit over one of these prior security breaches, which alleges that its cyber defense measures were not reasonably fit to protect clients.
String of security breaches raises alarms
The fact that three security breaches took place in a year, and that all involved social engineering, points to fundamental cybersecurity dysfunction. Mailchimp indicated that this attack may have involved a third-party contractor, so at minimum there appears to be a serious need for review of access to the company’s internal systems and security protocols for business partners that have direct access to customer service tools.
Mailchimp parent company Intuit also saw another of its subsidiaries, the popular tax filing software TurboTax, hit by a security breach in 2021. That breach involved exposure of some customer financial and personal information, but at the time Intuit insisted that it was isolated and not a systemic compromise of its internal systems.