Email marketing service Mailchimp on Monday revealed a data breach that resulted in the compromise of an internal tool to gain unauthorized access to customer accounts and stage phishing attacks.

The development was first reported by Bleeping Computer.

The company, which was acquired by financial software firm Intuit in September 2021, told the publication that it became aware of the incident on March 26 when it became aware of a malicious party accessing the customer support tool.

"The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised," Siobhan Smyth, Mailchimp's chief information security officer, was quoted as saying.


Although Mailchimp stated it acted quickly to terminate access to the breached employee account, the siphoned credentials were used to access 319 MailChimp accounts and further export the mailing lists pertaining to 102 accounts.

The unidentified actor is also believed to have gained access to API keys for an unspecified number of customers, which the company said have been disabled, preventing the attackers from abusing the API keys to mount email-based phishing campaigns.

In the wake of the break-in, the company is also recommending customers to enable two-factor authentication to secure their accounts from takeover attacks.

The acknowledgment comes as cryptocurrency wallet company Trezor on Sunday said it's investigating a potential security incident stemming from an opt-in newsletter hosted on Mailchimp after the actor repurposed the stolen data to send rogue emails claiming that the company had experienced a security incident.

The fraudulent email, which came with a supposed link to download an updated version of the Trezor Suite hosted on what's actually a phishing site, prompted unsuspecting recipients to connect their wallets and enter the seed phrase on the trojanized lookalike application, allowing the adversary to transfer the funds to a wallet under their control.


"This attack is exceptional in its sophistication and was clearly planned to a high level of detail," Trezor explained. "The phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app."

"Mailchimp have confirmed that their service has been compromised by an insider targeting crypto companies," Trezor later tweeted. "We have managed to take the phishing domain [] offline," warning its users to refrain from opening any emails from the company until further notice.

The American company hasn't so far clarified on whether the attack was carried out by an "insider." It's also unclear at this stage how many other cryptocurrency platforms and financial institutions are impacted by the incident.

A second confirmed casualty of the breach is Decentraland, a 3D virtual world browser-based platform, which on Monday disclosed that its "newsletter subscribers' email addresses were leaked in a Mailchimp data breach."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.