• Email marketing and newsletter giant Mailchimp says it was hacked and that dozens of customers’ data was exposed. It’s the second time the company was hacked in the past six months. Worse, this breach appears to be almost identical to a previous incident.

History

The company said in a unattributed blog post that its security team detected an intruder on January 11 accessing one of its internal tools used by Mailchimp customer support and account administration, though the company did not say for how long the intruder was in its systems, if known. Mailchimp said the hacker targeted its employees and contractors with a social engineering attack, in which someone uses manipulation techniques by phone, email or text to gain private information, like passwords.

This attack was the second successful attempt in 6 months that the company in question received. Two of the accounts targeted during these attacks were both of the e-commerce platform WooCommerce, and of the Cloud Services company Digital Ocean.

WooCommerce platform issued a statement saying that there is a possibility that non-sensitive information such as names, websites and email accounts of its users may have been leaked, but it assured that no sensitive information such as passwords or other data has been leaked.

For the first attack a post was made by Digital Ocean's head of security Mr. Tyler Healy who assured that the very small number of accounts whose details were leaked have been secured and users have been informed. Finally, as an additional security measure, the activation of two-factor authentication (2FA) was proposed for all its customers' accounts.

 

Prevention

The ecosystem of online services is quite fragile as any problem created within the chains of trust can have significant effects on everyone.

However, as these types of attacks have become a very common phenomenon, we should be very careful in our actions on the Internet. These attacks are aiming at human error and this is why the technical means are considered insufficient to deal with them, even in giant companies. But there are some principles we can follow to protect ourselves from such malicious actions.

  1. Great care in the emails we receive. Even if it seems to be from a known sender, it is best not to follow redirects (links) included in them but to go to the sites we want ourselves. Finally, we always check in the address bar of our browser both for the well-known padlock that appears next to the address in all browsers and shows us that our connection is secured (encrypted), and above all and with great care the address we are at if is spelled correctly and that we are not connected to some malicious site trying to impersonate another.
  2. We enable Multi-Factor Authentication (2FA) wherever possible. Because the use of 2FA may seem laborious for most, but also to ensure that an unintentional mechanical action will not be performed by the user, it is recommended to enable it in our key systems such as in the email accounts we use to manage our other accounts (registrations, password changes, etc.).
  3. Finally, it is recommended to use secure passwords to log in to the applications. Because the average user is required to remember many different passwords we usually prefer to repeat our passwords or use the same one on multiple systems with dire consequences in case of a leak. The solution to this is to use a password manager app.