Email marketing and newsletter giant Mailchimp says it was hacked and that dozens of customers’ data was exposed. It’s the second time the company was hacked in the past six months. Worse, this breach appears to be almost identical to a previous incident.
Mailchimp said in an unattributed blog post that its security team detected an intruder on January 11 accessing one of its internal tools used by Mailchimp customer support and account administration, though the company did not say for how long the intruder was in its systems, if known. Mailchimp said the hacker targeted its employees and contractors with a social engineering attack, in which someone uses manipulation techniques by phone, email or text to gain private information, like passwords. The hacker then used those compromised employee passwords to gain access to data on 133 Mailchimp accounts, which the company notified of the intrusion.
One of those targeted accounts belongs to e-commerce giant WooCommerce. In a note to customers, WooCommerce said it was notified by Mailchimp a day later that the breach may have exposed the names, store web addresses and email addresses of its customers, though it said no customer passwords or other sensitive data was taken.
WooCommerce, which builds and maintains popular open-source e-commerce tools for small businesses relies on Mailchimp for sending emails to its customers. WooCommerce is said to have more than five million customers.
If all of this sounds vaguely familiar, it’s because it is. Last August, Mailchimp said it was the victim of a social engineering attack that compromised credentials of its customer support staff, granting the intruder access to Mailchimp’s internal tools. In that breach, data on some 214 Mailchimp accounts were compromised, mostly of cryptocurrency and finance-related accounts. Cloud giant DigitalOcean confirmed that its account was compromised in the incident, and harshly criticized Mailchimp’s handling of the breach.
Mailchimp said at the time that it had implemented “an additional set of enhanced security measures,” but declined to tell TechCrunch what those measures entailed. With a near-identical repeat of its past breach, it’s not clear if Mailchimp properly implemented those enhanced measures, or if those measures failed.
Intuit, which bought Mailchimp for $12 billion in 2021, did not respond to an email by TechCrunch on Wednesday, which included questions about the incident. It’s not immediately clear who, if anyone, is responsible for cybersecurity at Mailchimp following the departure of its chief information security officer Siobhan Smyth shortly after the August breach.