Hi,
We’ve now completed our investigation into the recent unauthorised access of our Mailchimp account, so I wanted to give you an update on what we found, and what we’re doing to make things more secure.
Just in case you missed it, here’s a link to my first email last week explaining what happened: https://mailchi.mp/masterofmalt.com/potential-data-breach/
If you received an email from us with a link to this page at the top asking you to click through for an update on this, then I’m afraid I can now confirm that your email address was indeed one of those affected.
Here’s what happened…
On the evening of Tuesday 26 February, we were the victim of a very well-crafted phishing attack, specifically targeting Mailchimp customers.
The campaign was designed to effectively spoof a Mailchimp email and logon screen, and the email linked to a domain which was visually almost identical to Mailchimp’s. Here’s what it looked like:
One of our people clicked the ‘Update Billing Information’ link and logged in to what they thought was the real Mailchimp site to check our billing details and update them. They were in fact directed to an identical looking spoof site.
Once they had logged on, the attacker had the login details for our account and immediately used them to gain access to the account.
We became aware of the breach on Wednesday night when two independent teams detected suspicious activity on the account. We saw a much higher than usual volume of emails coming into our ‘bounceback’ email address, as well as a higher than normal send rate on Mailchimp. We also had one customer contact us to say they had received a suspicious email to an address they had only used with us previously.
We immediately contacted Mailchimp and suspended the account, preventing any further access or emails being sent, and we began our investigation.
Over the next 24 hours we conducted a thorough analysis of all our systems and logs to understand exactly what happened, how it happened, and who was affected. This confirmed that only our Mailchimp account had been accessed, and no other systems had been breached.
As the only personal information stored on Mailchimp were email addresses and names, we could be sure that nothing else whatsoever had been accessed. No passwords, no phone numbers, no delivery addresses and no payment details could possibly have been obtained through this attack.
By Thursday evening we understood enough to email everyone who could have been affected and let them know, and we let the ICO (Information Commissioner’s Office) know at the same time to give them a full briefing of the situation.
Only a fraction of the email addresses held with Mailchimp were ever accessed, and we’ve now emailed everyone affected.
We don’t consider that there is any further risk of another Mailchimp breach, but for a number of reasons, including the level of responsiveness Mailchimp provided during the incident, the level of granularity available in Mailchimp’s user permissions, and that Mailchimp doesn’t allow access to the account to be locked down by IP address, we’re still going to be moving to another provider very soon.
Although none of our internal systems were compromised, we’re now well into a programme of rolling out security improvements across the business, including:
– Ensuring that there are no accounts shared by more than one user
– Each user account has the minimum privileges required for that person to do their job
– Removing accounts which aren’t absolutely required for people to do their jobs
– Requiring universal two-factor authentication, and moving away from services which don’t support it
– Implementing IP whitelisting for all services, and moving away from those that don’t support it
– More training to help our people identify potential phishing and social engineering attacks.
If you have any questions please drop us an email at [email protected] and we’ll do our best to answer them promptly. I’ll be updating this message with answers to common questions we receive.
Finally, I would like to take this opportunity to apologise unreservedly for what has happened, and for the inconvenience it has caused you. I am truly sorry.
Sincerely,
Tom McGuinness
Managing Director