Mailchimp suffers second security breach in 6 months, impacting 133 customers

Popular marketing automation platform and email marketing service provider Mailchimp suffered yet another security breach that gave threat actors access to a tool used for internal support and account administration and allowed them to obtain data of 133 customers.

The Intuit-owned company disclosed that an unauthorized actor used employee credentials compromised in the attack to conduct a social engineering attack on Mailchimp employees and contractors and gain access to several Mailchimp accounts.

Mailchimp claimed to have discovered the error on January 11 and found no proof that the unauthorized party had compromised any other customer data besides the 133 accounts. It added that it immediately notified the main contacts for every affected account and helped them regain access to their accounts.

The Atlanta-based company, however, declined to say how long the hacker stayed on its systems or exactly what kinds of data were accessed. Meanwhile, WooCommerce, one of the affected accounts, revealed that the breach exposed users’ names, addresses, email addresses, and store URLs but not payment data, passwords, or other sensitive information.

Mailchimp first became the victim of a security breach in April 2022, in which a malicious actor used crypto phishing scams to compromise the security and access 319 customer accounts without authorization. A group known as 0ktapus (also known as Scatter Swine) performed a sophisticated social engineering attack again in August 2022, compromising 216 customer accounts.