Email marketing platform Mailchimp, owned by Intuit Inc. since September 2021, has achieved the dubious honor of a cybersecurity fail hat trick: It has been hacked for the third time in the space of a year.

Mailchimp’s latest data breach was detected on Jan. 11 when an authorized actor was found to be accessing tools used by customer-facing teams for customer support and account administration. The attack vector involved the hacker successfully targeting Mailchimp employees and contractors with a social engineering attack to gain access to select Mailchimp accounts using employee credentials compromised in the attack.

So far, the company ha found evidence that only 133 Mailchimp accounts were compromised. The number does not sound significant, but if they’re corporate accounts, a single Mailchimp account holder could be serving emails to millions of people.

MailChimp temporarily suspended access to affected accounts and notified affected account holders of the breach on Jan. 12, less than 24 hours after the breach was detected.

“We know that incidents like this can cause uncertainty, and we’re deeply sorry for any frustration,” Mailchimp stated. “We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process.”

Incompetence causes uncertainty and Intuit paid a lot for that uncertainty: $12 billion to acquire Mailchimp. Companies are regularly hacked, but three times in 12 months points to a cultural issue at the company, particularly given how the attacks occur.

Previous Mailchimp breaches include one in March that affected Trezor cryptocurrency wallet service users, in which the attack vector was social engineering targeting Mailchimp employees. Another hack affected customers of DigitialOcean Holdings Inc. in August, and the attack vector was yet again a social engineering attack on Mailchimp employees.

“Within one year, MailChimp has suffered three data breaches as a result of social engineering attacks, with one of the worst-case scenarios – a breach that seems to be very similar to previous ones,” Almog Apirion, chief executive officer of zero-trust access company Cyolo Ltd., told SiliconANGLE. “Companies should prioritize securing identities – the new perimeter for many organizations.”

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, said the latest Mailchimp breach shows how clever threat actors can be in adapting existing social engineering tactics.

“It’s not enough simply to educate employees and partners sporadically about common social engineering tactics and hope that this makes a significant impact on incident prevention or mitigation,” Shadabi said. “The entire corporation needs to adopt a culture of cybersecurity in which speed and rapidity are valued less than safety and sensible inspection of all requests for information and action.”

Photo: Mailchimp