Mailchimp hack potentially leading to crypto wallet thefts
AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.
Email marketing firm Mailchimp confirms that hackers used one of its own internal tools to access accounts of customers working in finance and cryptocurrency — and a follow-up attack could lead to crypto wallet draining.
In total, some 319 Mailchimp accounts were reportedly viewed, and data from 102 of them was downloaded. Among the affected users was the Trezor cryptocurrency app, which has since tweeted advice for its customers.
MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies.
We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected. 1/
— Trezor (@Trezor) April 3, 2022
Trezor goes into further detail in a blog post which says the hacker or hackers gained access through targeting Mailchimp employees with a social engineering attack.
In the case of Trezor, its Mailchimp account was then used to contact users of the cryptocurrency wallet service. Calling the attack “exceptional in its sophistication,” Trezor says the fake email directed users to download what was a “very realistic” clone of the Trezor Suite wallet app.
Users who downloaded this fake update and then entered their cryptocurrency seed information into the app, could lose funds.
According to Bleeping Computer, Mailchimp’s Chief Information Security officer Siobhan Smyth says the company has warned the affected users.
“On March 26, our Security team became aware of a malicious actor accessing one of our internal tools used by customer-facing teams for customer support and account administration,” Smyth told the publication. “The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.”
“We acted swiftly to address the situation,” continued Smyth, “by terminating access for the compromised employee accounts and took steps to…
