MailChimp Breached by Scammers Targeting Trezor Wallet Users
Over the past weekend, owners of Trezor hardware wallets received fake messages claiming that the company had been compromised and that user data had been leaked. These emails informed users that supposedly 106,856 customers were affected by the data breach. Recipients were urged to download a fake version of Trezor Suite (which would steal their recovery seed phrases) and set a new PIN on their hardware wallet.
At first glance, the website for downloading the Trezor Suite looked almost legitimate—suite.trezor.com—but upon closer inspection, it was revealed that the attackers used Punycode to mimic the trezor.com domain. The actual address was suite.xn--trzor-o51b[.]com. It’s important to note that the official Trezor website is actually trezor.io.
Soon after, Trezor developers reported that this phishing attack occurred due to a compromise at MailChimp.
Details of the MailChimp Compromise
According to Bleeping Computer, the breach was not limited to just Trezor’s account. MailChimp stated that several of their employees fell victim to social engineering, which led to their credentials being stolen.
“On March 26, our security team became aware that an unauthorized actor gained access to one of our internal tools used by customer-facing teams for account support and administration,” said Siobhan Smyth, MailChimp’s Director of Security. “The incident was caused by an external actor who successfully conducted a social engineering attack on MailChimp employees, resulting in compromised employee credentials. We quickly addressed the situation by terminating access to the compromised employee accounts and took steps to prevent further impact on other employees.”
The stolen credentials were ultimately used to access 319 MailChimp accounts, export “audience data,” and likely mailing lists from 102 customer accounts. Additionally, the attackers gained access to API keys for an unknown number of customers, which have since been disabled and can no longer be used.
Smyth stated that all affected account owners have already been notified, and that the attackers primarily targeted customers in the cryptocurrency and financial sectors. MailChimp is aware that this access has already been used to conduct phishing campaigns, but further details about the attacks have not been disclosed.
MailChimp representatives apologized for the incident and recommended that all customers enable two-factor authentication on their accounts for added security.