Numerous Mailchimp customers are now warning users that they might face increased risks of phishing attacks in the wake of a recent data breach.
Online gambling firm FanDuel became the latest Mailchimp client to advise customers of a potential wave of security risks in the wake of the incident.
Reports over the weekend revealed that the sports betting site issued a warning to users, urging them to “remain vigilant” of phishing emails.
“Recently, we were informed by a third-party technology vendor that sends transactional emails on behalf of its clients like FanDuel that they had experienced a security breach within their system that impacted several of their clients,” read an email distributed to users.
FanDuel added that the vendor in question had confirmed that customer names and email addresses were “acquired by an unauthorised actor”.
“No customer passwords, financial account information, or other personal information was acquired in this incident,” the email read.
"Remain vigilant against email "phishing" attempts claiming an issue with your FanDuel account that requires providing personal or private information to resolve the problem," the email added.
"FanDuel will never email customers directly and request personal information to resolve an issue."
WooCommerce, a popular ecommerce plug-in for Wordpress, was among the first customers to begin warning users. In an advisory to users, the eCommerce platform confirmed that it was one of the clients affected by the breach.
“The breach may have resulted in some of the information you share with us, including your name, store URL, address, and email address, being exposed,” WooCommerce said in an email to customers.
“No payment data, passwords, or other sensitive security information, is part of this breach. Your store and customer data have not been impacted by this incident, nor have your wordpress.com or woocommerce.com accounts.”
What happened in the Mailchimp breach?
The US-based email marketing giant confirmed on 13 January that around 133 customers had been impacted by a breach, which came as a result of a social engineering attack on a Mailchimp employee.
Mailchimp said audience data was obtained in the breach, which includes email addresses and customer names. However, the company said at the time that no customer password or credit card information had been compromised in the attack.
“Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts,” the company said. “There is no evidence that this compromise affected Intuit systems or customer data beyond these Mailchimp accounts."
The incident marks the second breach at the all-in-one marketing platform in less than 12 months. In April last year, Mailchimp battled another security issue which saw hackers control its internal tools to access customer records.
In this case, hackers were able to view 319 of Mailchimp's customer accounts and extracted data from 102 of those - a similar scale to the latest breach.
The immediate fears were the same in last year's incident: customers were likely to receive targeted phishing emails.
Domino effect of Mailchimp breach
While security incidents such as the Mailchimp breach don’t directly result in compromised user accounts, there is a significant risk that exposed information such as email addresses and names can create a ‘domino effect’ of security risks further down the line.
Exposed information is commonly used by threat actors to target users with phishing attacks or attempt to reset passwords to gain account authorisation. This is an issue that has occurred repeatedly in recent years.
Among the victims in last year's Mailchimp breach was cloud computing provider, DigitalOcean, which criticised the company’s handling of the incident and revealed that a “small number” of customers experienced attempted compromise of their accounts through password resets.
More recently, a major data breach at telecoms provider T-Mobile prompted the company to issue an urgent warning that customer may face a wave of phishing attacks after email addresses and account information was leaked online.
