Intuit, the parent company of Mailchimp, is facing a lawsuit after a recent cybersecurity incident led to the theft of cryptocurrencies from a Trezor user.
For the uninitiated, Mailchimp is one of the largest email marketing platforms, and Trezor is one of the world’s most popular hardware wallets for storing cryptocurrencies.
The register recently spotted a lawsuit filed in federal court in northern California, in which an Alan Levinson of Illinois claims he was the victim of a sophisticated phishing attack that resulted in the theft of tokens stored on his wallet Trezor.
Although he personally claims to have lost $87,000, he also claims that he is probably not the only one cheated and that the actual damages are likely in the millions.
Trezor users attacked
In early April, we reported a data breach at Mailchimp, which saw attackers get away with over a hundred email lists. Mailing lists were then used to target people who were victims of phishing attacks, with the aim of stealing their money and cryptocurrency holdings.
They also accessed the (now defunct) API keys of an unknown number of customers. With the keys, attackers could create personalized email campaigns and send them to mailing lists without accessing the Mailchimp customer portal.
One of the companies whose customers were targeted by a phishing attack was Trezor. Shortly after the breach, Trezor customers began receiving an email stating that the company had suffered a data breach and asking users to download a program to help them reset PINs on their devices.
The program disguised a strain of malware that allowed attackers to steal the contents of the wallet.
The lawsuit claims that poor security standards at Intuit and Rocket Science Group (a subsidiary that runs Mailchimp) made such an attack possible.
“The hackers were able to access the Trezor mailing list (and likely other non-sensitive information) through MailChimp and/or Intuit employee accounts,” the lawsuit states.
“Indeed, the defendants confirmed that the hackers used an internal employee tool to steal the data of more than 100 of their customers – the data being used to mount phishing attacks against users of cryptocurrency services. “
The lawsuit alleges that Intuit “willfully, recklessly or negligently” failed to protect its customers’ data and was too slow to notify its customers of the breach.
Levinson is now seeking actual and punitive damages, as well as legal fees. He also wants three years of credit monitoring paid for him.
Through the registry