Mailchimp parent hit with lawsuit over cybersecurity 'negligence'

Intuit, the parent company of Mailchimp, is facing a lawsuit after a recent cybersecurity incident led to the theft of cryptocurrencies from a Trezor user.

For the uninitiated, Mailchimp is one of the largest email marketing platforms, and Trezor is one of the world’s most popular hardware wallets for storing cryptocurrencies.

The Register recently spotted a lawsuit filed to a federal court in northern California, in which one Alan Levinson of Illinois claims to have fallen victim to a sophisticated phishing attack that resulted in the theft of tokens stored on his Trezor wallet.

While he personally claims to have lost $87,000, he also claims that he’s probably not the only one to be tricked, and that the real damage is probably in the millions. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Trezor users under attack

In early April, we reported on a data breach at Mailchimp, which saw attackers get away with more than a hundred email mailing lists. The mailing lists were later used to target people with phishing attacks, in an attempt to steal their money and cryptocurrency holdings.

They also accessed API keys (now defunct) from an unknown number of customers. With the keys, the attackers could create custom email campaigns and send them to mailing lists without accessing the Mailchimp customer portal.

One of the companies whose customers were targeted with a phishing attack was Trezor. Soon after the breach, Trezor customers started getting an email that stated that the company had suffered a data breach, and invited users to download a program to help them reset the PINs on their endpoints.

The program disguised a malware strain that allowed attackers to steal the contents of the wallet.

The lawsuit claims the poor standards of security at Intuit and Rocket Science Group (a subsidiary that manages Mailchimp) made such an attack possible.

"The hackers were able to access the Trezor email list (and likely other insensitive information) through MailChimp and/or Intuit employee accounts," the lawsuit states.

"Indeed, defendants confirmed that hackers used an internal employee tool to steal data from more than 100 of their clients — with the data being used to mount phishing attacks on the users of cryptocurrency services."

The lawsuit alleges Intuit "willfully, recklessly, or negligently" failed to protect its customer data, and was too slow to notify its customers of the breach. 

Levinson now asks for actual and punitive damages to be compensated, as well as legal fees. He also wants three years of credit monitoring paid for him, as well.

• Keep your premises secure with the best ransomware protection services right now

Via The Register