As I described yesterday in an article on the We Live Security blog, some MailChimp customers had their accounts hijacked, with the end result that their newsletter subscribers received a malicious email.
There’s no suggestion that MailChimp itself suffered a data breach - it appears much more likely that the businesses who had their mailing lists abused had had their passwords stolen or guessed.
And a possible explanation of how those MailChimp passwords might have fallen into the laps of cybercriminals came to my attention an hour or so after I wrote my initial article on the incident.
A security researcher, who chooses to remain anonymous, contacted me telling me that he had a database of over 2,000 MailChimp usernames and passwords. The data was not sourced via a breach at MailChimp itself, but was a small part of a much larger data haul collected by the Vawtrak password-stealing trojan.
Vawtrak is a notorious piece of malware - often spread via malicious Word documents - which can spy on its victims by logging keystrokes, taking screenshots and hijacking webcams.
As if that weren’t bad enough, it opens a remote access backdoor for hackers to steal victims’ files, grabs passwords, digital certificates, browser histories, and uses code injection to grab online banking credentials.
As the haul of MailChimp passwords reveals, Vawtrak doesn’t just steal online banking passwords - it’s also interested in your webmail, social networking accounts, and many other things besides… including the account your business might use to send out newsletters.
A MailChimp spokesperson confirmed that it had reset passwords on the accounts included in the data dump:
Our team has obtained the data from the security researcher. They’ve validated usernames with our user base, and have forced password resets on the affected users.
Personally I hope that MailChimp went further than that, encouraging the victims to enable two-factor authentication and to ensure that they’re running an up-to-date anti-virus product.
Furthermore, it’s important to recognise that if criminals have used malware to steal your MailChimp password, they have almost certainly also stolen your passwords for other online services as Vawtrak pilfers all locally-stored passwords and those entered into web forms.
In other words, changing your MailChimp password and enabling MailChimp’s 2FA isn’t enough. You need to consider the likelihood that many more of your online passwords are also at risk.
After all, the MailChimp credentials in that list only numbered just over 2000. There were over two million other lines of credentials related to other services in the file obtained by the researcher.
Is it possible that the compromised MailChimp accounts that sent out the malicious emails were hijacked as a consequence of malware like Vawtrak? It seems plausible to me.
But it’s also sadly true that there are other password dumps out there, and other malware, keen to steal your online passwords.