This attack is hitting multiple buzzwords.
MailChimp has confirmed that some of their employees fell for a social engineering
attack that led to the theft of their credentials.
"The
incident was propagated by an external actor who conducted a successful social
engineering attack on Mailchimp employees, resulting in employee credentials
being compromised."
These
credentials were used to access 319 MailChimp accounts and to export "audience
data," likely mailing lists, from 102 customer accounts.
In
addition to viewing accounts and exporting data, the threat actors gained
access to API keys for an undisclosed number of customers, which have now been
disabled and can no longer be used.
Using
these compromised API keys, a threat actor can create custom email campaigns,
such as phishing campaigns, and send them to mailing lists without accessing
MailChimp's customer portal.
This
attack is reminiscent of recent breaches by the Lapsus$ hacking group,
who used social engineering, malware, and credential theft to gain access
to numerous well-known companies, including Nvidia, Samsung, Microsoft, and Okta.
The
Okta breach was accomplished through a similar method as MailChimp, by
social-engineering a contractor who had access to internal customer support and
account management systems.