Cyber Incident Victim: Mailchimp
Date:
Jan 2023
Location:
United States of America
Summary
Mailchimp experienced a security breach where an unauthorized actor accessed internal customer support tools via a social engineering attack compromising employee credentials, leading to the exposure of data from 133 accounts. The incident involved theft of customer information including names, email addresses, and store URLs, with e-commerce platform WooCommerce among the affected users. This breach followed a nearly identical intrusion six months prior that compromised 214 accounts, primarily in cryptocurrency and finance sectors, despite previous claims of enhanced security measures. The company suspended impacted accounts, notified affected users within 24 hours, and initiated account recovery support while continuing its investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 11, 2023, Mailchimp’s security team detected an unauthorized actor accessing one of its internal customer support and account administration tools. The intrusion resulted from a social engineering attack targeting Mailchimp employees and contractors, where the attacker manipulated individuals to obtain their credentials. These compromised credentials allowed the attacker to access data from 133 Mailchimp customer accounts. The company did not disclose how long the intruder remained in its systems prior to detection. Among the affected accounts was WooCommerce, a major e-commerce platform with over five million customers, which notified its users that exposed data included customer names, store web addresses, and email addresses. WooCommerce confirmed no passwords or sensitive data were accessed. This incident marked Mailchimp’s second major breach within six months, following an August 2022 attack where social engineering compromised customer support credentials, leading to unauthorized access of 214 accounts—primarily in cryptocurrency and finance sectors. Cloud provider DigitalOcean had publicly criticized Mailchimp’s handling of the earlier breach.
Mailchimp responded by temporarily suspending account access for all affected customers upon detecting suspicious activity. Primary contacts for the 133 compromised accounts received notification within 24 hours of discovery on January 12, followed by a second communication detailing steps to safely restore account access. The company emphasized ongoing direct support for impacted users and stated no evidence indicated compromise of parent company Intuit’s systems or broader customer data beyond the targeted accounts. Mailchimp’s January 13 public statement apologized for the incident but did not clarify whether security enhancements implemented after the August breach had failed or were insufficient. The departure of Chief Information Security Officer Siobhan Smyth shortly after the prior breach left uncertainty regarding Mailchimp’s cybersecurity leadership at the time of the January incident. Investigations continued post-breach, with Mailchimp committing to provide updates to affected account holders.