Intuit is being sued in the US after a security failure at its Mailchimp email marketing business allegedly led to the theft of cryptocurrency from one or more digital wallets.
In a proposed class-action lawsuit [PDF] filed in federal court in northern California on Friday, the plaintiff – Alan Levinson of Illinois – claimed he and potentially others fell victim to a sophisticated phishing attack in which their Trezor cryptocurrency wallets were unlawfully accessed and funds siphoned.
Someone earlier stole from Mailchimp details of Trezor’s mailing-list subscribers, and used this information to reach out to those users with an email engineered to trick them into installing malware designed to hijack their digital wallets. Levinson said he believes millions of dollars in crypto-coins were stolen in this attack, including $87,000 from his own wallet.
The lawsuit accuses Intuit and Rocket Science Group – a subsidiary that operates Mailchimp – of poor security practices, allowing this alleged heist to take place.
“The hackers were able to access the Trezor email list (and likely other insensitive information) through Mailchimp and/or Intuit employee accounts,” Levinson wrote in his 22-page lawsuit. “Indeed, defendants confirmed that hackers used an internal employee tool to steal data from more than 100 of their clients — with the data being used to mount phishing attacks on the users of cryptocurrency services.”
It’s said said Intuit “willfully, recklessly, or negligently” failed to put in place measures that would ensure people’s data was protected and keep such a breach from happening, and then failed to disclose the breach in a timely manner.
Intuit bought Mailchimp last fall for about $12 billion.
The lawsuit states Trezor users received phishing emails on April 2 that appeared to be legitimate messages from the company claiming that their data had been compromised and their cryptocurrency was at risk of being stolen. These messages were sent to email addresses stolen from Mailchimp.
Marks were told by these bogus emails to go to what turned out to be a malicious website – suite.trẹzor.com, note the special ẹ character – to download a new version of the Trezor desktop software suite that turned out to be wallet-draining malware. According to the lawsuit, this was also made possible because an Intuit staff apparently fell victim to a phishing attack in which they inadvertently handed over their internal credentials to one or more fraudsters.
“Defendants fell victim to one of the oldest cybertricks in the book: according to reports, one of defendants’ employees fell victim to a phishing email and clicked on a malicious link,” the plaintiff claimed. “Accordingly, the unknown hackers were able to pilfer Trezor platform users’ cryptocurrency from the compromised accounts, resulting in millions of dollars of losses.”
The lawsuit claims the crooks were able to view about 300 Mailchimp customer accounts, and exfiltrate data, including subscriber email addresses, from 102 of them. One of the customer accounts was Trezor.
In a statement to The Register earlier this month, Mailchimp CISO Siobhan Smyth said the company’s security engineers first became aware of the security breach on March 26 when a miscreant accessed a tool used by customer-facing teams for customer support and account administration. Smyth said the targeted campaign “was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.”
Levinson raised the March 26 date in his lawsuit, saying it was “a week before the phishing emails were sent” yet Intuit didn’t raise the alarm until Trezor did so when it spotted the phishing campaign.
“This lack of action was particularly concerning, as Defendants acknowledged that the hackers targeted customers in the cryptocurrency and finance sectors and that the hackers gained access to API keys for an undisclosed number of customers, allowing the attackers to send phishing emails,” the lawsuit stated.
Levinson wants Intuit to pay for at least three years of credit monitoring for the victims as well as actual and punitive damages and legal fees. ®