Cyber Incident Victim: Klaviyo
Date:
Aug 2022
Location:
United States of America
Summary
A cybersecurity breach at an email marketing firm occurred when attackers obtained an employee's credentials through phishing, enabling unauthorized access to internal support tools. The threat actors primarily targeted cryptocurrency-related client accounts, exfiltrating marketing lists containing names, email addresses, phone numbers, and custom profile properties from 38 customers, alongside two internal lists used for company updates. Law enforcement was notified, and a third-party cybersecurity firm assisted the investigation. The compromised data raises concerns about subsequent phishing and smishing campaigns, with threat actors already attempting to acquire the stolen information for malicious purposes. The incident mirrors previous attacks targeting cryptocurrency users following similar data exposures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 3, 2022, email marketing firm Klaviyo suffered a data breach when threat actors stole an employee’s login credentials through a phishing attack. The compromised credentials allowed unauthorized access to the employee’s account and internal customer support tools. Attackers used these tools to search for and target cryptocurrency-related accounts, viewing list and segment information for 44 Klaviyo accounts. For 38 of these accounts, they downloaded marketing lists or segments containing customer names, email addresses, phone numbers, and account-specific custom profile properties. Additionally, the threat actors exfiltrated two internal Klaviyo lists used for product and marketing updates, which included names, addresses, email addresses, and phone numbers. The breach was confined to these data exports, with no evidence of broader system compromise beyond the support tools accessed via the stolen credentials. Klaviyo detected the intrusion and initiated an investigation, though the exact timeline of detection relative to the August 3 breach date was not disclosed in available sources.
Klaviyo notified law enforcement and engaged a third-party cybersecurity firm to investigate the incident. The company warned affected customers, contacts, and employees to anticipate targeted phishing or smishing campaigns leveraging the stolen data, emphasizing vigilance against password reset requests, payment information solicitations, or emails from unusual domains. Threat actors were observed attempting to acquire the stolen data shortly after the breach, suggesting immediate plans to weaponize it for attacks. Klaviyo also reported the emergence of counterfeit websites mimicking its layout to harvest login credentials, anticipating a surge in phishing activity. The breach’s primary impact centered on cryptocurrency-sector clients and Klaviyo’s internal marketing lists, with compromised data posing risks of identity-based attacks. Historical parallels were noted, including the 2020 Ledger breach where stolen customer data fueled prolonged phishing campaigns against cryptocurrency users. No financial or system disruption beyond data theft was reported, and Klaviyo’s public advisories focused exclusively on mitigating secondary attacks rather than detailing internal remediation steps.