Email marketing and newsletter giant Mailchimp says it has been hacked, exposing dozens of customer data. It is the second time in the past six months that the company has been hacked. Even worse, this breach appears to be almost identical to a previous incident.
Mailchimp said in a unattributed blog post that on Jan. 11, the security team detected an intruder accessing one of its internal tools used by Mailchimp’s customer support and accounting department, though the company did not say how long the intruder had been in its systems, if known. Mailchimp said the hacker attacked its employees and contractors with a social engineering attack, in which someone uses manipulation techniques via phone, email or text to obtain private information, such as passwords. The hacker then used those compromised employee passwords to access data on 133 Mailchimp accounts, which the company notified of the breach.
One such targeted account is from e-commerce giant WooCommerce. In a message to customers, WooCommerce said it was notified by Mailchimp a day later that the breach may have exposed its customers’ names, store web addresses and email addresses, though it said no customer passwords or other sensitive data had been captured .
WooCommerce, which builds and maintains popular open-source ecommerce tools for small businesses, relies on Mailchimp to send emails to its customers. WooCommerce is said to have more than five million customers.
If this all sounds vaguely familiar, that’s because it is. Last August, Mailchimp said it was the victim of a social engineering attack that compromised the credentials of its customer support staff, giving the intruder access to Mailchimp’s internal tools. In that breach, data on some 214 Mailchimp accounts was compromised, primarily from cryptocurrency and financial-related accounts. Cloud giant DigitalOcean confirmed that its account had been compromised during the incident and criticized Mailchimp’s handling of the breach.
At the time, Mailchimp said it had implemented “an additional set of enhanced security measures,” but declined to tell TechCrunch what those measures entailed. With an almost identical replay of the earlier breach, it’s not clear whether Mailchimp correctly implemented those improved measures, or whether those measures failed.
Intuit, which bought Mailchimp for $12 billion in 2021, did not respond to an email from TechCrunch on Wednesday asking questions about the incident. It’s not immediately clear who, if anyone, is responsible for cybersecurity at Mailchimp following the departure of chief information security officer Siobhan Smyth shortly after the August breach.