On August 3rd, the email marketing company Klaviyo suffered a data breach. Threat actors gained access to internal systems and downloaded marketing lists for clients who deal with cryptocurrencies. According to Klaviyo, hackers used a phishing attack to steal an employee’s login information. They used the compromised credentials to access the employee’s account and internal Klaviyo support resources. The threat actors then downloaded marketing lists for thirty-eight clients who work in the cryptocurrency sector using internal technologies. “The threat actor used the internal customer support tools to search for primarily crypto related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment information. The information downloaded contained names, email addresses, phone numbers, and some account specific custom profile properties for profiles in those lists or segments,” stated Klavyio.
The hackers also downloaded two internal lists with names, addresses, email addresses, and phone numbers that Klaviyo uses for product and marketing updates. Klaviyo claims to have contacted law enforcement and hired a third-party cybersecurity company. Klaviyo warns subscribers to keep an eye out for targeted phishing or smishing attempts using the stolen data in the future. “We are concerned about potential phishing or smishing efforts by the threat actor and want our customers, contacts, and employees to be skeptical of any password reset requests, requests for payment info, or emails from unusual domains. We have also seen new websites copying the Klaviyo layout trying to obtain Klaviyo logins. There may be a spike in phishing campaigns and look alike websites in the coming weeks,” stated Klaviyo in its blog post. It is recommended to provide user training instructing users to avoid clicking on links or opening attachments, especially from unknown and anonymous users. Users should also be instructed to report suspicious emails to the organization’s IT security department for a follow-up investigation, especially if an attachment has been opened.