For the second time in less than a year, Mailchimp has found itself in a precarious situation, having to admit that it has been breached. It appears that a social engineering attack tricked Mailchimp employees and contractors into giving up their login credentials, which were then used to access 133 Mailchimp accounts.
This news has left WooCommerce, makers of a popular WordPress plugin, and other Mailchimp users feeling disgruntled, as their customers' personal information, such as name, store URL, address and email address, was exposed and could be used in phishing attacks.
This is not the first time Mailchimp has been compromised either; in March 2022, an attacker managed to access a tool used by its customer support team, accessing 300 client accounts and stealing the subscriber data from 102 of them.
This time, the attacker used social engineering to dupe Mailchimp workers into handing over their login credentials.
Mailchimp's swift response may have been commendable, but being hit by the same tactic twice is a worrying sign, especially since a service like Mailchimp is already whitelisted in many organisations, meaning that malicious emails sent via Mailchimp stand a good chance of ending up in users' inboxes.
The incident has also raised questions about Mailchimp's security practices. It is clear that Mailchimp needs to take a hard look at its security strategy and make sure that its employees and contractors are well-trained in spotting and avoiding social engineering attacks.
It is also important to note that Mailchimp is not the only company that has been targeted by social engineering attacks. In fact, this type of attack is becoming increasingly common, as attackers use it to gain access to sensitive information.
The good news is that there are steps you can take to protect yourself from social engineering attacks. First and foremost, you should make sure that your employees and contractors get security awareness training so they can spot and avoiding social engineering attacks. You should also make sure that your systems are up to date and that you have strong passwords in place. Finally, you should be aware of the latest phishing scams and be vigilant when it comes to emails and other communications.
Mailchimp's breach is a reminder that no company is immune to an attack. It is important to stay vigilant and take the necessary steps to protect yourself and your customers. Social engineering attacks are becoming increasingly common, and it is up to us to make sure that we are prepared.