Hackers were targeting customers of a total 102 users, including hardware cryptocurrency wallet Trezor by using internal tools from Mailchimp as reported by The Verge. Trezor users were sent emails over the weekend regarding a data breach affecting their accounts. It purported to include a link to an updated version of Trezor Suite, along with instructions for setting up a new pin – when, in reality, it was a phishing site meant to capture the contents of their electronic wallets.
According to a tweet from Trezor on Sunday, the emails were a result of a sophisticated phishing campaign targeting MailChimp’s newsletter database. “Mailchimp security revealed that an attacker accessed an internal tool used by customer-facing teams for customer support and account management,” Trezor wrote on its blog. “This tool was accessed by a bad actor through a successful social engineering attack against Mailchimp employees.”
By tricking MailChimp’s customer support team into handing over login credentials, the hackers used the company’s own internal tools to send out the emails. According to the company’s blog post, the Trezor attack was planned to an “extreme degree of detail.” Nevertheless, Trezor users needed to download the fake app and provide their wallet credentials for the attack to succeed. It’s unlikely many made it to that point, as Trezor points out in its post, as most operating systems would have notified the user when software from an unknown source is being downloaded.
MailChimp was first made aware of the breach on March 26th, according to a statement made by its chief information officer Siobhan Smith to The Verge . Hackers were able to obtain audience data from 102 different MailChimp clients, meaning Trezor is not the only company likely impacted. On Twitter, Decentraland, the browser-based metaverse platform, confirmed that its newsletter had been hacked.
During the next few days, we’ll likely learn what other companies were involved in the MailChimp hack. All of MailChimp’s clients have already been notified.