Authors note: You may not think of yourself as a business but you are! You have or are working hard to increase your audience, I know I am, and you have likely created a website and newsletter. Both are important to your success, but pale in comparison to your social media and email contacts lists. Protection of these valuable assets is a top priority. Fortunately, there are simple and effective steps to take which cost little to nothing to implement. I will get to those in a minute, but first let’s talk about a recent hack.
Mailchimp Hack
Many author newsletters I subscribe to use Mailchimp as the tool to interact with their readers. Unfortunately, Mailchimp was hacked. According to TechCrunch about 300 user accounts were compromised and customer data was extracted for 102.
In a statement given to TechCrunch, Mailchimp CISO Siobhan Smyth said the company became aware of the intrusion on March 26 after it identified a malicious actor accessing a tool used by the company’s customer support and account administration teams. Access was gained following a successful social engineering attack, a type of attack that exploits human error and uses manipulation techniques to gain private information, access or valuables.
“We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected,” Smyth said.
But not quickly enough, as hackers viewed approximately 300 Mailchimp accounts, and successfully exported audience data from 102 of those, the company said. Mailchimp declined to say exactly what data was accessed but told TechCrunch that the hackers targeted customers in the cryptocurrency and finance sectors. In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, allowing the attackers to potentially send spoofed emails, but which have now been disabled and can no longer be used. But Smyth said that Mailchimp received some reports of the hackers using the information they obtained from user accounts to send phishing campaigns to their contacts.
“When we become aware of any unauthorized account access, we notify the account owner and immediately take steps to suspend any further access,” Smyth told TechCrunch. “We also recommend two-factor authentication and other account security measures for our users as added measures to keep accounts and passwords secure.”
What are three things you can do to help prevent data theft? Let’s start with the common password:
1 – Use passphrases versus passwords. Example – W0lf!998Elle – simple to remember and has a 0 replacing the o in Wolf and a ! replacing the 1 in 1998 along with upper and lower case. Hack the hackers – misspell one of the words 😊.
2 – If your service offers it, turn on two-factor authentication. It can seem a pain to have to wait for the text and then enter the code, but the extra security is well worth the minor inconvenience.
3 – Do not use the same passphrase everywhere. If your passphrase is hacked, the bad actors have access to everything. Pick a theme and create variations on the theme.
Additional information:
5 Password Security Best Practices You Can't Live Without in 2022 (swisscyberinstitute.com)
If you have trouble remembering passphrases for all your devices, web and apps you use consider a manager.