Email marketing and newsletter giant Mailchimp says it was hacked, exposing the data of dozens of its customers. It’s the second time in the past six months that the company has been hacked. To make matters worse, this breach looks much like the previous incident.
Mailchimp said in an anonymous blog post that its security team detected an intruder accessing one of Mailchimp’s internal tools for customer support and account management on Jan. 11. . According to Mailchimp, hackers targeted employees and contractors with social engineering attacks. In a social engineering attack, someone uses phone, email, or text manipulation techniques to obtain personal information, such as passwords. The hacker then used the compromised employee’s password to access data on his Mailchimp account at 133, and the company notified the breach.
One of the targeted accounts belongs to e-commerce giant WooCommerce. In a note to customers, WooCommerce said it did not obtain customer passwords or other sensitive data, but the breach may have exposed the customer’s name, his store’s web address, and email address. Mailchimp said he was notified a day later.
WooCommerce, which builds and maintains popular open source e-commerce tools for small businesses, uses Mailchimp to send emails to their customers. WooCommerce is said to have over 5 million customers.
If all of this sounds vaguely familiar, it’s because it is. Last August, Mailchimp announced that it had been the victim of a social engineering attack that compromised the credentials of a customer support staff member, giving an intruder access to Mailchimp’s internal tools. The breach compromised data on approximately 214 of her Mailchimp accounts, most of which were cryptocurrency and financial accounts. Cloud giant DigitalOcean confirmed that accounts were compromised in the incident and criticized Mailchimp’s handling of the breach.
Mailchimp said at the time that it had implemented an “additional set of enhanced security measures,” but declined to tell TechCrunch what those measures entailed. Therefore, it is not clear whether Mailchimp has properly implemented these enhanced measures, or if they have failed.
Intuit, which acquired Mailchimp for $12 billion in 2021, did not respond to an email from TechCrunch on Wednesday. It won’t be immediately clear who will head Mailchimp’s cybersecurity after his Chief Information Security Officer Siobhan Smyth resigned shortly after the data breach in August.