An overview of the social engineering attack on the Trezor mailing provider.
On April 3 2022, it was brought to our attention that a phishing email had been sent to a one-time-use email address, alerting us to a data breach. On further investigation, it was discovered that the third-party newsletter provider Mailchimp, used for marketing communications, had been repeatedly compromised over the course of several months. This blog describes the timeline of events and the steps Trezor have taken to minimize the impact of this situation.
As described in our blog released immediately following the incident, four Mailchimp employees were targeted by phishing campaigns across many weeks, resulting in them providing secure access keys to attackers. We do not know the details of how they were phished.
The first attack happened in February, though no data was compromised. It then happened again one month later, and again on April 2. The earlier attacks targeted databases of over 200 crypto and finance companies, while the final attack appears to have targeted Trezor’s account alone.
We are most surprised by the lack of transparency and cooperation from Mailchimp regarding the attacks. We received one email to a catch-all support email about “possible risks” but did not learn of these attacks until we discovered the leak and started pushing for answers. Now that we have access to the affected customer data, it is clear that not only were subscriber email addresses stolen, but also data of people who unsubscribed, and in some cases names and IP addresses.
Why has it taken until now to provide more information?
The social engineering attacks led to multiple breaches over several months, but it was not until now that we were able to regain access to our data and begin contacting the affected users.
While we immediately communicated the incident to our community following the breach, it has taken a long time to understand the true scope of the attack, as Mailchimp has been slow to provide actionable details from their side since we first began our inquiry a week and a half ago.
This is the first time we have suffered a data breach and we know we have let our customers down. We believed we had chosen a robust solution that would handle our subscriber data appropriately, and Mailchimp remains the largest platform of its kind in the world. Clearly we were mistaken.
We will not be using Mailchimp any more, except to share details with the affected users. We urge any company who has used Mailchimp to immediately reach out to see if you have been affected, as they have not been proactive in their communication.
We will begin migrating to a new mailing platform once we have thoroughly assessed other options for compliance and data security. As we have seen in recent years, phishing is a threat not just to consumers but also to companies. That said, it is inexcusable to hide the fact that customer data was attacked until being called out, and we are disappointed by Mailchimp’s slow cooperation in the investigation.
We acknowledge that there’s still a lot of work to do to educate the world on cybersecurity essentials and will continue to do our best to ensure that our customers know how to protect their data to the fullest.