Mailchimp mobile app on mobile phone showing security breach via customer support tools

Another Security Breach at Mailchimp; Customer Support Tools Again Hijacked to Phish Clients, in Third Such Incident in a Year

Hackers have gone to the Mailchimp well once again, nearly a year after the company suffered a similar security breach that targeted the crypto wallets of its clients. The attackers gained access to customer support tools via an employee account and sent phishing emails to 133 MailChimp clients before being detected and removed from the system.

The breach took place on January 12 and appears to have lasted for less than a full day. The company says that client login information was not compromised, but that some that were targeted by the “suspicious activity” were temporarily suspended and asked to choose a new password.

2022 and 2023 Mailchimp security breaches share a number of similarities

Mailchimp published a notification about the security breach on January 13, updating it on January 17 with further information. The company says that in addition to temporarily suspending accounts that were associated with the attack and resetting passwords, the primary contacts associated with each account were notified by January 13.

There has been little information released beyond that, however. Additional statements to the media indicate that either an employee or contractor with access to the company’s customer support tools was successfully taken in by some sort of social engineering attack, and that these tools were then used to send phishing emails to 133 client accounts.

Major e-commerce platform WooCommerce, the largest tool used to create an online store for WordPress sites via a plug-in, confirmed that it was one of the targets of the security breach. The company says that it was told privately by MailChimp that some of its stored customer information, such as names and email addresses, may have been exposed to the attackers.

Combined with two similar security breaches that have taken place in just under a year, parent company Intuit is reportedly facing some hard questions from customers  about the security of the rest of its product line (which includes TurboTax, Credit Karma and Quickbooks). TurboTax suffered its own security breach in 2021, raising questions about Intuit’s overall security across its various companies and if it has blanket policies for employee and contractor access to customer support tools.

Questions have also been raised about a possible central backdoor into Intuit itself, but the company denies that this is a possibility.

Pattern of abuse of customer support tools raises questions

The year of security breaches for Mailchimp began in April 2022, when hackers similarly got control of customer support tools and used them to target 319 customer accounts with phishing emails. This particular campaign had a focus on Mailchimp clients known to be in the crypto business, seeking to gain access to wallets. The hackers were also able to obtain customer API keys and audience data while in the system. The identity of the attackers was never released.

The second attack was in August 2022, and was another case of social engineering being used to get access to customer support tools. The attackers once again went after cryptocurrency companies primarily, impacting 216 accounts in total. This incident was attributed to the broader “0ktapus” phishing campaign, in which an unknown threat actor targeted customers of the authentication platform Okta with official-looking text messages directing them to mocked-up login pages at phishing sites. The attacker’s methods in this campaign were described by security researchers as being unsophisticated but well-planned, leading to over 10,000 Okta credentials being compromised in total.

Three similar security breaches inside of a year, all involving social engineering of an employee account to access customer support tools, is enough to raise serious questions all by itself. But the situation is exacerbated by Mailchimp’s apparent lack of cybersecurity leadership. The company has not announced the appointment of a new CISO since Siobhan Smyth left the position in August shortly after the second security breach. Mailchimp has been asked by a number of media sources who is currently in charge of cybersecurity at the company, but has yet to provide an answer. In spite of this the company continues to direct email queries about the most recent security breach to the “ciso@mailchimp.com” address.

Tyler Farrar, CISO at Exabeam, observes that cyber criminals seem to have sniffed out weakness here and are using Mailchimp for its downstream access to many different clients: “Adversaries are always going to go for the path of least resistance to meet their end goal. The threat actors who conducted this social engineering attack were likely not going after Mailchimp, but the organizations the email platform works with. Rather than attempt to attack each of the customers individually, the adversary probably figured it would be easier to break through into Mailchimp. Unfortunately, attacks like these are going to become more and more common. The software supply chain is going to become the number one threat vector in 2023. As a result, organizations should create a vendor risk management plan, thoroughly vet third parties and require accountability to remain vigilant and align to cybersecurity best practices.”

The company may end up being forced into a greater degree of transparency in court. One of the victims of the first breach of the Mailchimp customer support tools was crypto wallet outfit Trezor, who say that some of its clients were taken in by the official-looking phishing emails the attackers were able to generate. Some of those Trezor clients have come together in a class action suit that alleges Mailchimp is responsible for their losses, due to a lack of “adequate and reasonable measures” in place to ensure its data and customer support tools were appropriately guarded.

Tim Morris, Chief Security Advisor/AMER at Tanium, notes that the remedy for these breaches is  not necessarily expensive or complex to implement: “At first glance, this appears to be a typical stolen credentials attack. Whether by social engineering (as claimed), credential stuffing, or “spray and pray”, the methods of prevention are the same. Enable strong multi-factor authentication (MFA) for all systems … This is especially important for administrative staff that have access to an organization’s systems. Training users is also important so that they understand attacker techniques. For example, education on how to use MFA correctly and being alert to MFA fatigue/bombing attacks.”

Erfan Shadabi, cybersecurity expert at comforte AG, expands on what that education should look like: “This cybersecurity incident shows just how clever threat actors can be in adapting existing social engineering tactics. The situation also underscores two key points that every enterprise should heed. One, it’s not enough simply to educate employees and partners sporadically about common social engineering tactics and hope that this makes a significant impact on incident prevention or mitigation. The entire corporation needs to adopt a culture of cybersecurity in which speed and rapidity are valued less than safety and sensible inspection of all requests for information and action. Social engineering preys on misdirection and hasty actions and responses. Put a premium on employees treating every email with healthy skepticism. Two, protect all sensitive enterprise data with more than just perimeter security, even if you feel that the impenetrable vault you’ve stored it all in is foolproof. Make sure that data-centric protection such as tokenization or format-preserving encryption effectively obfuscate sensitive information in case threat actors find their way into your data ecosystem. At some point, every organization will face a cybersecurity attack, so better be prepared.”