Email marketing service provider, Mailchimp, has announced that it suffered a data breach as a result of a social engineering attack on its employees and contractors.
The company has stated that the unauthorized actor was able to gain access to select Mailchimp accounts using employee credentials that were compromised in the attack.
According to Mailchimp, the incident was limited to 133 accounts, and there is no evidence that this compromise affected any other systems or customer data beyond these Mailchimp accounts. The newsletter giant has temporarily suspended account access for Mailchimp accounts where suspicious activity was detected in order to protect user data.
Mailchimp has apologized for the incident and stated that it is working with its users directly to help them reinstate their accounts, answer questions and provide any additional support they need. The company is also continuing its investigation and is providing impacted account holders with timely and accurate information throughout the process.
The company has urged its users to contact ciso@mailchimp.com if they have any questions regarding the incident.
According to Patrick Wragg, cyber-incident response manager at Integrity360, the hack is a reminder that social engineering attacks can be very effective, and it is important for companies to have proper security protocols in place and for employees to be aware of these types of attacks.
"Seeing as phishing emails are still the most successful initial access vector for breaches, the compromise of a company that bases its business around email marketing is bad," Wragg told Infosecurity in an email.
"What perhaps makes this more interesting is that Mailchimp has confirmed it was breached via a phishing/social engineering campaign itself. Employees are your first line of defense against a cyber-attack, and education and awareness are still critical in tackling even basic phishing emails."
The breach comes less than a year after Mailchimp suffered a separate hack in April 2022.