Cyber Incident Victim: Mailchimp

In late March 2022, hackers compromised Mailchimp’s internal systems through a social engineering campaign targeting employees. The attackers stole employee credentials, granting access to customer support and account administration tools. On April 3, 2022, Mailchimp publicly disclosed the breach after cryptocurrency hardware wallet provider Trezor reported phishing emails sent to its customers. These fraudulent messages, appearing to originate from Trezor via Mailchimp’s platform, falsely claimed a data breach and urged recipients to download malicious software under the guise of resetting their wallet PINs. The malware was designed to steal cryptocurrency from affected users. Trezor confirmed the phishing campaign stemmed from Mailchimp’s compromised infrastructure, prompting Mailchimp’s investigation and subsequent acknowledgment of a broader intrusion beyond Trezor’s account.

The attackers exported data from 102 Mailchimp customer accounts and accessed 319 accounts in total. Compromised information included audience data and API keys, which threat actors exploited to launch additional phishing campaigns against contacts in the stolen datasets. Mailchimp disabled the exposed API keys to prevent further misuse. The company notified all impacted customers and recommended enabling two-factor authentication to secure accounts. The breach methodology—social engineering leading to credential theft and lateral movement within internal tools—mirrored tactics previously associated with the Lapsus$ extortion group, known for targeting technology firms like Nvidia and Okta. Mailchimp expressed regret for the incident but emphasized existing security measures without specifying additional remediation steps. The event underscored vulnerabilities in third-party email marketing platforms and the persistent risk of social engineering in compromising business-critical systems.