Companies affected by the recent Mailchimp data breach have started notifying customers. The list includes WooCommerce, FanDuel, Yuga Labs and the Solana Foundation.
Marketing automation platform Mailchimp revealed recently that its security team discovered unauthorized access to one of its tools on January 11. The tool is used by the company’s customer-facing teams for support and account administration.
According to Mailchimp, the hacker targeted employees and contractors in a social engineering attack and used compromised employee credentials to gain access to some Mailchimp accounts.
“Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts. There is no evidence that this compromise affected Intuit systems or customer data beyond these Mailchimp accounts,” the company said in a notice published on its website.
In response to the breach, Mailchimp suspended access for the targeted accounts and notified impacted customers.
Some of those customers have started informing their own customers about the incident. One of the first to do so was WooCommerce, the WordPress ecommerce plugin made by Automattic, the company behind WordPress.com.
WooCommerce uses Mailchimp to send emails to customers and its account was one of the 133 that were impacted by the breach.
WooCommerce told customers that some of the information they shared may have been exposed, including name, URL, address, and email address. Passwords, payment data or other sensitive information was not exposed, nor was any store using WooCommerce.
Online gambling service FanDuel has also informed customers that their name and email address may have been compromised. The FanDuel notification says the incident involved a third-party technology vendor and does not name Mailchimp.
The Solana Foundation, the nonprofit behind the Solana blockchain and cryptocurrency network, was also impacted and it did name Mailchimp in its notification to customers.
In the case of Solana, exposed information included names, email addresses and Telegram usernames.
Yuga Labs, a blockchain technology company that develops NFTs and digital collectibles, best known for the Bored Ape Yacht Club NFT collection, also confirmed being hit by the Mailchimp breach. Yuga Labs said it only used the service for limited purposes and there was no evidence that data from its Mailchimp account was exported.
Mailchimp claims to have 13 million active customers around the world. This is not the first time the company has announced suffering a breach in recent months. In August 2022, it suspended some accounts following a cyberattack targeting some of its cryptocurrency-related customers.
A few hundred Mailchimp customers were hit at the time, including DigitalOcean, which was not happy with the way the email marketing company handled the incident.
Mailchimp also discovered a security incident in March 2022.