Intuit is being sued for alleged thefts of cryptocurrency from one or more digital wallets following a security breach at its Mailchimp email marketing business.
The plaintiff – Alan Levinson of Illinois – claimed he and possibly others were victims of a sophisticated phishing attack in which their Trezor cryptocurrency wallets were unlawfully accessed and funds accessed. The complaint was filed in federal court in northern California on Friday.
On 26 March, someone earlier stole from Mailchimp details of Trezor’s mailing-list subscribers, and used this information to send an email designed to trick users into installing malware designed to hijack their digital wallets. According to Levinson, millions of dollars in crypto-coins have been stolen in this attack, including $87,000 from his own wallet.
Intuit and Rocket Science Group LLC, which operates Mailchimp, are being sued, but not Trezor. Intuit is accused of “failing to take adequate and reasonable measures to ensure that its data systems were protected” for Trezor account holders.
“Defendants fell victim to one of the oldest cybertricks in the book,” Levinson claims in the lawsuit.
“The incident was propagated by a bad actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised,” she wrote.
According to Mailchimp, an internal investigation revealed 319 Mailchimp accounts had been accessed and “audience data was exported from 102 of those accounts,” Smyth wrote. “Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance.”
Phishing attacks continue to be a “serious problem” for companies in all industries since attackers use it as their primary strategy to steal “legitimate credentials and gain access to cloud infrastructure and customer data,” said Hank Schless, senior manager, security solutions at Lookout, a San Francisco-based security service edge provider, told TheStreet.
He said hackers are now looking for more discreet ways instead of obvious hacks to steal data.
Many cryptocurrency companies and wallets are hacked due to their young age and possible lack of advanced security practices, Scheless explained.
“From the consumer side, there seems to be a new coin or exchange being released every day, so they might operate with less caution in hopes of getting in on the next big thing in crypto,” he said. “Attackers use this against them to trick them with phishing campaigns.”
Crypto is popular among hackers because stealing and hiding funds is easy.
Levinson wants Intuit to pay for at least three years of credit monitoring for the victims as well as actual and punitive damages and legal fees.