No platform is off limits to hackers and not even our dear newsletter service; MailChimp. The email broadcast service has now been exploited by hackers to send out emails containing malicious links to subscribers to different services that rely on MailChimp according to Motherboard.
The email reads something like “Here’s your invoice! We appreciate your prompt payment.” An Australian security researcher (who also owns the Have I Been Pwned?) sent a sample email to Motherboard in which he said “This morning our MailChimp subscriber database was hacked and a fake invoice (Inoice 00317) [sic] was sent to our list,” he also went ahead to back this claim up with screen shots on Twitter as seen below;
An unsuspecting user is then required to view such an invoice by clicking on the “View Invoice” button which leads to a .zip file and has been confirmed to be indeed malicious. An Australian company according to the tweet above had confirmed that its MailChimp subscriber database had been hacked and a fake invoice (Inoice 00317) had been sent to their list of subscribers. These subscribers may not know it’s actually fake and could have clicked on the link without knowing that they are indeed allowing some hacker access to their device.
The company has since issued a statement asking its subscribers to disregards suhc emails and in a statement to Motherboard, they said “Please disregard and delete this email. You have not been charged,” it adds. Camilla Jansen, managing editor of Business News Australia, told Motherboard in an email “We’re waiting to find out more.”
MailChimp in the meantime released a statement to Motherboard saying;
“Early this morning MailChimp’s normal compliance processes identified and disabled a small number of individual accounts sending fake invoices. We have investigated the situation and have found no evidence that MailChimp has been breached. The affected accounts have been disabled, and fraudulent activity has stopped.”
While they (MailChimp) also encourage users to set up two-factor authentication, it is also imperative for recipients to be careful of links they click on. An example would be if you suspect a change in pattern of email from a company you subscribe to, you should probably contact someone to know if they indeed sent that email. I know this other one sounds old but it’s still valid, change your passwords regularly and don’t use the same password across multiple sites. The problem they suspect in this case could have been a result of password reuse.