Mailchimp Phishing Attack Results in Potential Hit on 100K Trezor Crypto Wallets
Stolen client data from Mailchimp put customers of the cryptocurrency hardware wallets on notice of potential social engineering attacks claiming to be Trezor.
This week, email marketing company Mailchimp announced a data breach on March 26 after it discovered a threat actor using compromised credentials to gain access to the company’s internal customer support tools. In total, audience data was stolen from 102 customers in the finance and cryptocurrency sectors – likely to be used to phish the customers of those 102 companies.
Over the weekend, crypto hardware wallet maker Trezor emailed its customers informing them of the compromise and provided instructions to customers to update their Trezor Suite:
“Trezor has experienced a security incident involving data belonging to 106.856 of our customers, […] If you’re receiving this e-mail, it’s because you’ve been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet.”
Trezor also posted tweets about their data being compromised on April 3rd, warning customers that they would not be communicating via email to the time-being until the situation is resolved.
We will not be communicating by newsletter until the situation is resolved.
Do not open any emails appearing to come from Trezor until further notice. Please ensure you are using anonymous email addresses for bitcoin-related activity. 2/— Trezor (@Trezor) April 3, 2022
The initial Mailchimp compromise began as a phishing attack. According to their statement about the attack, “The incident was propagated by a bad actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.”
This attack is an unfortunate example of the potential ripple effect a single phish can have. While Trezor customers appear to have remained unscathed, you can see how a one user falling for a phishing attack could have impacted thousands of individuals and businesses. It’s why we’re so passionate about Security Awareness Training – by training users to be vigilant at all times when interacting with emails, the risk of falling for social engineering tactics employed within a phishing attack is much lower, resulting in an equally lowered success rate for the initial attack itself.
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customize the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organization compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW