Mailchimp parent hit with lawsuit over cybersecurity ‘negligence’
A Mailchimp breach led to a phishing attack against Trezor users
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Intuit, the parent company of Mailchimp, is facing a lawsuit after a recentcybersecurityincident led to the theft of cryptocurrencies from a Trezor user.
For the uninitiated, Mailchimp is one of the largestemail marketingplatforms, and Trezor is one of the world’s most popular hardware wallets for storing cryptocurrencies.
The Registerrecently spotted a lawsuit filed to a federal court in northern California, in which one Alan Levinson of Illinois claims to have fallen victim to a sophisticated phishing attack that resulted in the theft of tokens stored on his Trezor wallet.
While he personally claims to have lost $87,000, he also claims that he’s probably not the only one to be tricked, and that the real damage is probably in the millions.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.
Trezor users under attack
In early April, we reported on adata breach at Mailchimp, which saw attackers get away with more than a hundredemailmailing lists. The mailing lists were later used to target people with phishing attacks, in an attempt to steal their money and cryptocurrency holdings.
They also accessed API keys (now defunct) from an unknown number of customers. With the keys, the attackers could create custom email campaigns and send them to mailing lists without accessing the Mailchimp customer portal.
One of the companies whose customers were targeted with a phishing attack was Trezor. Soon after the breach, Trezor customers started getting an email that stated that the company had suffered a data breach, and invited users to download a program to help them reset the PINs on theirendpoints.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The program disguised amalwarestrain that allowed attackers to steal the contents of the wallet.
MailChimp breach exposes hundreds of customer accounts>Crypto wallet data breach compromises hundreds of thousands of users>Cybercriminals have abused API keys to steal millions in crypto
The lawsuit claims the poor standards of security at Intuit and Rocket Science Group (a subsidiary that manages Mailchimp) made such an attack possible.
“The hackers were able to access the Trezor email list (and likely other insensitive information) through MailChimp and/or Intuit employee accounts,” the lawsuit states.
“Indeed, defendants confirmed that hackers used an internal employee tool to steal data from more than 100 of their clients — with the data being used to mount phishing attacks on the users of cryptocurrency services.”
The lawsuit alleges Intuit “willfully, recklessly, or negligently” failed to protect its customer data, and was too slow to notify its customers of the breach.
Levinson now asks for actual and punitive damages to be compensated, as well as legal fees. He also wants three years ofcredit monitoringpaid for him, as well.
ViaThe Register
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Dangerous Android banking malware looks to trick victims with fake money transfers
Sophos Firewall hack on government network used an all-new custom malware
Don’t wait until Black Friday, this year’s best Nintendo Switch bundles are on sale now
