Social engineering attacks on Mailchimp exposed customer accounts and fueled phishing
Mailchimp disclosed that attackers used social engineering against employees and contractors to steal credentials and access an internal customer support and account administration tool, leading to unauthorized access to 133 customer accounts. The company said it detected the activity on January 11, suspended affected accounts, and notified impacted customers within 24 hours. Mailchimp added that passwords and payment card data were not exposed, but the compromised account information could still be used for targeted phishing and other follow-on attacks.
The incident echoed an earlier Mailchimp breach in which intruders again manipulated employees to gain access to internal tools and target customers in the cryptocurrency and finance sectors. In that earlier case, attackers compromised 319 accounts, exported audience data from 102 accounts, accessed some customer API keys that were later disabled, and used the stolen data to send phishing emails, including messages aimed at Trezor users that impersonated breach notifications. The repeated intrusions highlighted the downstream risk posed by marketing platforms that hold customer contact data and administrative access across many organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Mailchimp publicly discloses January 2023 breach
Mailchimp publicly disclosed the January 2023 breach, stating that 133 customer accounts were accessed through a social-engineering attack on employees and contractors. Reporting noted the incident's similarity to the company's earlier 2022 breaches affecting cryptocurrency-related customers.
Mailchimp suspends affected accounts and notifies impacted customers
Within 24 hours of discovering the January 2023 intrusion, Mailchimp temporarily suspended the affected accounts, notified primary contacts for all impacted customers, and sent recovery guidance. Mailchimp said no passwords or credit card data were compromised and continued investigating.
Mailchimp detects new employee social-engineering attack affecting 133 accounts
Mailchimp detected unauthorized activity on 2023-01-11 after attackers used compromised employee and contractor credentials to access an internal customer support and account administration tool. The attacker accessed 133 customer accounts in the new breach.
Mailchimp discloses 2022 breach impacting 319 accounts and disables exposed API keys
Mailchimp disclosed that attackers compromised 319 accounts, exported audience data from 102 customer accounts, and accessed some customer API keys, which the company later disabled. The breach was linked to phishing activity against customers including Trezor users.
Mailchimp detects social-engineering breach affecting crypto and finance customers
Mailchimp discovered that threat actors had socially engineered employees to obtain credentials and access internal customer support and account administration tools. The intrusion targeted cryptocurrency and finance-related customers and was identified on 2022-03-26.
Sources
4 references tracked. Mallory keeps watching after this page renders.
More than 100 Mailchimp accounts accessed via social engineering cyberattack | The Record from Recorded Future News
therecord.media
Open sourceMailChimp discloses new breach after employees got hacked
bleepingcomputer.com
Open sourceMailchimp says it was hacked - again | TechCrunch
techcrunch.com
Open sourceMailChimp breached, intruders conducted phishing attacks against crypto customers
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Betterment Social-Engineering Breach Exposes 1.4 Million Customer Records
**Betterment** disclosed that a **social engineering** attack against a **third-party platform account** used for customer communications enabled unauthorized access to internal systems in early January, leading to the exposure of personal data tied to **1,435,174 accounts**. The intruder used the access to send **fraudulent crypto-themed promotional messages** impersonating Betterment and promising to “triple” cryptocurrency sent to attacker-controlled wallets (including **Bitcoin and Ethereum** addresses). Betterment said it revoked the unauthorized access the same day it was detected, warned customers to ignore the messages, and initiated a forensic investigation with external incident-response support. Breach analysis and indexing by **Have I Been Pwned** indicated the exposed dataset included **email addresses, names, and location data**, with reporting also citing additional PII such as **dates of birth, physical addresses, phone numbers, device information, and employment-related details**. Betterment stated there is **no evidence** that customer investment accounts were accessed or that **passwords/authentication tokens** were compromised, characterizing the incident as an exposure of contact/identity data rather than account credentials. Separate reporting noted Betterment also experienced **intermittent outages attributed to a DDoS attack and extortion attempts** around the same period, but this was described as distinct from the social-engineering-driven data exposure.
Mar 21, 2026
Social Engineering Breaches Exposed Customer Data at Figure and Allianz Life
Figure and Allianz Life disclosed separate breaches in which attackers used **social engineering** to gain access to systems holding large volumes of customer data. Figure said an employee was deceived into granting access, leading to the public posting of a dataset from January 2026 that contained more than **900,000 unique email addresses** as well as names, phone numbers, physical addresses, and dates of birth. Allianz Life reported that a cyberattack in July 2025 targeted data stored on **Salesforce** and was later followed by the online leak of **1.1 million unique email addresses**. The exposed Allianz Life records also included names, genders, dates of birth, phone numbers, and physical addresses, underscoring how social engineering attacks continue to drive large-scale exposure of sensitive personal information across financial services firms.
Mar 27, 2026
Salesforce-Targeted Data Breaches Impacting Google, Workday, and Others via Social Engineering
A coordinated wave of cyberattacks in 2025 targeted organizations using Salesforce’s CRM platform, resulting in significant data breaches at major companies including Google and Workday. Attackers exploited the inherent trust and connectivity of cloud-based CRM systems, focusing on social engineering rather than technical vulnerabilities. Workday confirmed that attackers accessed a database containing business contact information for up to 11,000 corporate customers and 70 million individual user records, with the breach discovered in early August 2025. Google also disclosed that its Salesforce instance used for Google Ads leads was compromised, leading to the theft of over 2.5 million customer records, including business contact details and sales notes for small and mid-sized clients. Cisco and other organizations were also listed among the victims of this campaign. The threat group responsible, identified as UNC6040 and associated with ShinyHunters, used telephone-based social engineering (vishing) to trick employees into granting access or sharing credentials. Attackers convinced targets to use a modified, unauthorized version of the Salesforce Data Loader app, which enabled them to exfiltrate sensitive data from Salesforce environments. Mandiant, working with Google, provided proactive defense recommendations, emphasizing that the attacks did not exploit Salesforce vulnerabilities but rather relied on manipulating end users. The attackers’ tactics included delayed extortion demands, sometimes occurring months after the initial compromise. The breaches highlighted the risks of interconnected cloud services and the importance of robust identity and access management. Security experts stressed the need for organizations to harden their Salesforce and other cloud assets against social engineering. The incidents underscored the growing trend of targeting SaaS platforms through human factors rather than technical flaws. Lessons from these breaches include the necessity of employee training, multi-factor authentication, and vigilant monitoring of third-party integrations. The scale and sophistication of the attacks demonstrated the evolving threat landscape for cloud-based business applications. Organizations are urged to review their incident response plans and ensure that all users are aware of the risks posed by social engineering campaigns. The breaches serve as a warning for enterprises to reassess their security posture around cloud CRM platforms and to implement layered defenses against both technical and human-centric threats.
May 6, 2026