Marketing / Hacked MailChimp accounts used to send malicious emails to subscribers

Hacked MailChimp accounts used to send malicious emails to subscribers

Cyber criminals have hacked into MailChimp accounts to send out emails containing malicious links, according to reports.

Motherboard reported that the attackers sent out fake invoices to their victims' subscribers. The 'View Invoice' button in the emails led to a .zip file containing malware.

Organisations whose accounts were hacked to send out the messages reportedly include Business News Australia and the Sit Down Comedy Club in Brisbane, Australia.

Both have advised recipients of the fake invoice to delete the email.

Security experts say the incident does not suggest that MailChimp itself has been breached. Instead, they suggest the attackers got hold of users' passwords elsewhere.

"Here's how it happened," tweeted Troy Hunt, creator of HaveIBeenPwned. "Someone had a crap password or got phished. MailChimp didn't get hacked - I'll put money on it!"

MailChimp said it had disabled the affected accounts to stop the emails.

"Early this morning MailChimp’s normal compliance processes identified and disabled a small number of individual accounts sending fake invoices," it told Motherboard.

"We have investigated the situation and have found no evidence that MailChimp has been breached. The affected accounts have been disabled, and fraudulent activity has stopped."

It is unclear how the attackers gained access to the MailChimp accounts, but it could be the latest example of why it is bad practice to reuse passwords across the internet.

Earlier this week, the BBC’s Watchdog programme revealed that cyber criminals had accessed Deliveroo accounts and ordered food with their victims’ payment cards.

Again, the firm said it had not been breached. Rather, it believed its customers’ passwords had been compromised – perhaps as a result of one of the recent mega breaches.

“We are aware of these cases raised by Watchdog – they involve stolen food, not credit card numbers,” it said. “These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach.

“The stolen password is then used to fraudulently access someone’s account.”