MailChimp, the well-known email marketing company, has been hacked. Cybercriminals infiltrated the company’s systems at some point last month, stealing information on over 100 users. The criminals then repurposed the stolen data to phish users of the popular crypto wallet Trezor.
The attack, which MailChimp staff became aware of on March 26, involved an unknown threat actor getting its hands on internal tools used by the company’s customer support staff for account administration. When reached for comment by Gizmodo, a MailChimp representative provided a statement from Siobhan Smyth, Mailchimp’s chief information security officer, further explaining the breach.
“The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised,” said Smyth. The hacker or hackers then used its access to the company to get its hands on subscriber data. “Based on our investigation, we believe that about 300 Mailchimp accounts were viewed and audience data was exported from 102 of those accounts,” Smyth said.
“As a result of the security incident, we’ve received reports of the malicious actor using the information they obtained from user accounts to send phishing campaigns to their contacts,” he said. The attack appears to have been designed to nab information on people in the crypto and finance industries, Smyth added.
On the heels of the hack of MailChimp, users of the Trezor crypto wallet, a piece of hardware that allows users to store their cryptocurrency offline, began reporting on Twitter that they had received weird emails about a security incident at the company. These notifications, as it turned out, were actually phishing emails. The hackers had tapped a Trezor newsletter mailing list via MailChimp, then used the information to select targets. Trezor quickly addressed the situation, explaining in a series of tweets on Sunday that some user information had been compromised via the hack of MailChimp and used in the phishing campaign.
“MailChimp have [sic] confirmed that their service has been compromised by an insider targeting crypto companies,” the company revealed. “We will not be communicating by newsletter until the situation is resolved. Do not open any emails appearing to come from Trezor until further notice.”
On Monday, the company followed up with users, publishing a blog in which they provided substantially more information on the phishing campaign. The scheme used sophisticated tactics, including a phony Trezor lookalike app that prompted users for their seed—the string of randomly generated words that act as the crypto wallet’s passkey. Targets of the phishing campaign would receive an email telling them that Trezor had been hit with a “security incident” and that if they were receiving the email they should download an updated version of the Trezor Suite app. The phishing note read, in part:
“Trezor has experienced a security incident involving data belonging to 106.856 of our customers, […] If you’re receiving this e-mail, it’s because you’ve been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet.”
The user would then be asked to click a link to download the lookalike app and to “connect your wallet and enter your seed.” If the user fell for this message and entered their seed on the phony app, hackers would have likely stolen the contents of their wallet, Trezor has said.
It’s unclear how much data was stolen during the MailChimp hack or if other crypto companies have (or will) been targeted with phishing attempts, aside from Trezor.
“We are currently investigating how many customers might have been affected following an insider compromise of a newsletter database hosted on Mailchimp,” Trezor said, in their blog.
An earlier version of this story mistakenly referred to the crypto wallet mentioned in this story as Trezor Hardware. The actual name is merely Trezor, by Satoshi Labs.