Hot Topics
Analytics & Intelligence Application Security AppSec CISO Suite Cloud Security Cybersecurity Data Privacy Data Security Editorial Calendar Featured Governance, Risk & Compliance Identity & Access Incident Response Most Read This Week Network Security News Popular Post Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Mailchimp Hack Causes Theft of Trezor Crypto Wallet ‘Money’

by Richi Jennings on April 5, 2022

Hackers have stolen a mother lode of personal data from Intuit’s email marketing operation, Mailchimp. And it’s already causing widespread trouble.

The infamous “spammers” didn’t move fast enough to stop Trezor’s account from sending a phishing campaign, nor to prevent hundreds of other Mailchimp customers leaking PII. Brace for more spam and phishing to come.

Tell me again why people trust sieves like Mailchimp to hold sensitive data? In today’s SB Blogwatch, we👏don’t👏like👏spam.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: THIS EPISODE.

Bloody Vikings

What’s the craic? Lawrence Abrams reports—“Hackers breach MailChimp”:

Used to conduct phishing campaigns
Email marketing firm Mailchimp disclosed [it] had been hit by hackers who gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks. … Some of their employees fell for a social engineering attack that led to the theft of their credentials [which] were used to access 319 MailChimp accounts and to export … mailing lists.

Mailchimp says [it] received reports of this access being used to conduct phishing campaigns against stolen contacts but has not disclosed information about those attacks. Mailchimp recommends that all customers enable two-factor authentication.

Let’s turn to Carly Page—“Internal tool was used to breach hundreds of accounts”:

Send spoofed emails
Mailchimp CISO Siobhan Smyth said the company became aware of the intrusion on March 26 after it identified a malicious actor accessing a tool used by the company’s customer support and account administration teams: … “We acted swiftly to address the situation by terminating access for the compromised employee accounts.”

But not quickly enough: … In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, allowing the attackers to … send spoofed emails.

Such as? Such as to SatoshiLabs’ Trezor customers—“Ongoing phishing attacks”:

Likely to receive increased phishing attempts
When you click on the link in the phishing email you are directed to download a Trezor Suite lookalike app that will ask you to connect your wallet and enter your seed. The seed is compromised once you enter it into the app, and your funds will then be immediately transferred to the attacker’s wallet.

The leak of email addresses is most harmful in the fact that [you] are now likely to receive increased phishing attempts. As long as you use your device correctly it should not affect you.

Ouch. HildyJ experiences acute déjà vu:

Crypto, again! For those who thought storing their crypto in in an offline wallet was safe, this just points out that it’s not safe, it’s only safer. You still need to understand security.

For individuals, crypto was, is, and will remain risky.

There’s not a lot of love for Mailchimp at the best of times. Gravis Zero puts it bluntly:

Just because Mailchimp’s actions are technically legal doesn’t mean that they aren’t a malicious actor.

In principle, this is true. Doctor Syntax throws shade on its business model:

Professional spammers: … For avoidance of doubt, that’s Mailchimp. Your semi-professional spammer bank, retailer or whatever, will happily send them PII of their customers and insist that they’re doing nothing wrong under GDPR.

And stanbrown agrees:

Perhaps such a tool should not exist? If you really want to protect customer privacy, perhaps you should not create tools to violate it?

In case you’d forgotten, a1371 reminds us who Mailchimp’s parent is:

Intuit is one of the few companies that I don’t hear any good things about. … They always do something shady—last one I recall was sharing employee salary info with Equifax.

[So] we moved to another accounting service and when they bought MailChimp I pulled my whole company out of that too. I understand workplace is not always a place for activism, but I could switch with reasonable effort and it made me feel good not to fund this sort of behavior.

Meanwhile, the best answer to KB’s question seems to be, “Enjoy the remaining 10%”:

I fell for it. It immediately drained 90% of everything in my Trezor wallet. What do I do now?

And Finally:

If you know, you know

Hat tip: planearm

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Rishi Ragunathan (via Unsplash; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi

Secure Guardrails