Mailchimp, one of the largest email marketing, and newsletter company, has announced that it was hacked and that customer data was exposed. This is the second time the company has been hacked in the past six months, and the current breach appears to be almost identical to the previous incident.
The company said in a blog post that its security team detected an intruder on January 11th accessing one of its internal tools used by Mailchimp customer support and account administration.
Mailchimp said the hacker targeted its employees and contractors with a social engineering attack, in which someone uses manipulation techniques by phone, email or text to gain private information, like passwords. The hacker then used those compromised employee passwords to gain access to data on 133 Mailchimp accounts, which the company notified of the intrusion. One of those targeted accounts belongs to e-commerce giant WooCommerce.
In a note to customers, WooCommerce said it was notified by Mailchimp a day later that the breach may have exposed the names, store web addresses, and email addresses of its customers, though it said no customer passwords or other sensitive data were taken. Cyber experts shared how organizations can protect themselves from being the root of similar incidents.
Tim Morris, Chief Security Advisor, AMER, Tanium
"At first glance, this appears to be a typical stolen credentials attack. Whether by social engineering (as claimed), credential stuffing, or “spray and pray”, the methods of prevention are the same. Enable strong multi-factor authentication (MFA) for all systems. Strong MFA includes the trifecta of something you:
Know (id/password/secret)
Have (token, key)
Are (biometrics)
This is especially important for administrative staff that have access to an organization’s systems. Training users is also important so that they understand attacker techniques. For example, education on how to use MFA correctly and being alert to MFA fatigue/bombing attacks."
Gal Helemski, co-founder & CTO/CPO, PlainID
"In attacks such as this, identity is the solution for finding the adversary and eliminating it from systems. Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Access policies and dynamic authorizations are a crucial part of the zero-trust architecture, as they help to verify who is requesting access, the context of the request, and the risk of the access environment.
Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented toward purchasing the highest reward tools. Identity and authorization are where the smart money should be going. If we assume hackers are already in the network, it makes sense to focus budgets on technologies that restrict movement inside the network."
Justin McCarthy, co-founder and CTO, StrongDM
“The recent Mailchimp incident has security experts now pondering if the bad actors are going after email accounts, it’s safe to say they are also going after your data, data stores, repos, APIs and more. Ensuring that access is secured for all users -- admins, developers, analysts and more -- is critical in keeping your company and customers safe. One way to accomplish this is to eliminate credentials all together and move to just-in-time access or Zero Standing Privilege.”
Tyler Farrar, CISO, Exabeam
“Adversaries are always going to go for the path of least resistance to meet their end goal. The threat actors who conducted this social engineering attack were likely not going after Mailchimp, but the organizations the email platform works with. Rather than attempt to attack each of the customers individually, the adversary probably figured it would be easier to break through into Mailchimp.
Unfortunately, attacks like these are going to become more and more common. The software supply chain is going to become the number one threat vector in 2023. As a result, organizations should create a vendor risk management plan, thoroughly vet third parties and require accountability to remain vigilant and align to cybersecurity best practices.”
###