Email marketing specialist Mailchimp has suffered its third data breach arising from a social engineering attack in the space of a year, but on this occasion has won some praise for its swift and candid response to the incident.
In a statement first published on Friday 13 January, later updated on Tuesday 17 January, Mailchimp said that it first identified the breach on Wednesday 11 January. The attack saw an unauthorised party access customer support and admin tools by phishing its employees and stealing their credentials, before accessing data on 133 customers.
Mailchimp said it suspended account access for affected accounts immediately and notified its primary contacts for those accounts within 24 hours. It has since been working with them to reinstate access safely and provide needed support.
“Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts. There is no evidence that this compromise affected Intuit systems or customer data beyond these Mailchimp accounts,” the company said.
“We know that incidents like this can cause uncertainty, and we’re deeply sorry for any frustration. We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process,” said the company, which has also provided an email address for affected users to contact ([email protected]).
While Mailchimp has on this occasion moved quite quickly, the latest incident to affect it seems to maintain a pattern of internal compromise at the organisation.
In April 2022, cryptocurrency companies including Bitcoin hardware wallet maker Trezor were targeted by phishing campaigns after a threat actor breached Mailchimp. This attack was also the result of malicious access to an internal customer support tool, as confirmed by its then CISO Siobhan Smyth.
The second incident, which appears to have cost Smyth her job – she now works as CIO at a US-based healthcare company – unfolded in August 2022, also targeted organisations working in the crypto sector that were customers of DigitalOcean, a specialist in cloud infrastructure services. DigitalOcean, which ditched Mailchimp following the attack, said that it understood this attack had also been the result of an attacker compromising Mailchimp’s internal tools.
Ultimately, this attack was deemed to be the work of Scatter Swine, aka 0ktapus, a highly successful campaign of supply chain compromises that exploited the branding of identity and access management (IAM) specialist Okta. Somewhat ironically, Okta’s subsequent investigation revealed evidence that the group was using infrastructure provided by a provider called Bitlaunch, which itself used DigitalOcean’s services.
Eset global cyber security advisor Jake Moore said that the incident was highly worrying: “2023 is shaping up to be the year that attackers don’t hack in, they log in. Social engineering hacks targeting third-party tools are becoming more prevalent and sophisticated, and in recent months we have seen some big names being targeted with huge results,” he said.
“Although this may only seem like a very small number of customers that have had details compromised, this is still a very worrying breach of data…No doubt attempts would have been made to siphon more data than was stolen, but this will still land as an embarrassment for the company which is known for storing large amounts of client data along with their client’s personally identifiable information.”
ImmuniWeb founder Ilia Kolochenko said: “The unauthorised access to 133 customer accounts is a very insignificant security incident for such a large company as Mailchimp.
“Transparent disclosure of the incident rather evidences a well-established DFIR process and high standards of ethics at Mailchimp, as most businesses of similar size will likely try to find a valid excuse to avoid mandatory disclosure prescribed by law or imposed by contractual duties.”
Kolochenko added that the supposed attack vector was an exceedingly efficient one, claiming multiple victims all the time, with even the best multi-layered defences and advanced controls frequently ineffective against an honest mistake. He said Mailchimp had clearly detected and contained the problem quickly, given the customer support agent or agents compromised would have certainly had access to the data of many more customers.
One organisation known to have been affected in the latest attack is WooCommerce, an open source e-commerce platform used by independent micro retailers, which notified its customers shortly after.
In a copy of the notification email shared via Twitter, WooCommerce said it understood the breach may have resulted in some information, such as customer names, store URLs, and postal and email addresses exposed, but no payment data or passwords.
“There is no indication the person who engaged in unauthorised access to Mailchimp has taken any action with the exposed information,” the company said.
“We have confirmed with Mailchimp that our account is secure and follows all security best practices, and are working with them to better understand the cause of this breach and what they’re doing to prevent similar incidents in the future. We apologise for any issues or concerns this may have caused.”
A CEO is no longer expected to talk candidly about open source. Maybe business leaders have never expected open source to be anything but serve their business interests. Not every CEO takes advantage of open source to the degree we have seen in recent months. But no one is free of blame. Open source means different things to different people, and everyone uses it for their own purposes.
The colloquial use of open source gives companies like Meta the opportunity to use open source as they wish. Even high-ranking people in the open source community discount the problem. They say it’s OK. Open source is still moving forward. The kids don’t care — all they want to do is build models.
There is no playbook or good versus evil here. Many thoughtful people want to find a way to solve the mess we’ve seen surface in the WordPress saga of the past few weeks.
To recap, for those who haven’t been sufficiently online the past few days: Matt Mullenweg, co-creator of WordPress, the popular open source content management system, has been accusing WP Engine, a WordPress hosting provider, of violating WordPress’ trademarks and using its servers without compensation. The two organizations’ lawyers have exchanged cease-and-desist letters (more on those later). At the stroke of midnight UTC on Tuesday, WordPress blocked WP Engine’s access to its servers.
As this episode unravels, a fresh flow of ideas about open source has emerged. At least one CEO has established an important approach to solving issues like those we see with WordPress and WP Engine.
In a thoughtful post on his personal blog, Dries Buytaer, creator of Drupal, described the issue today as a makers-takers problem, where “creators of open source software (“Makers”) see their work being used by others, often service providers, who profit from it without contributing back in a meaningful or fair way (“Takers”).”
CEOs are on both sides of the perspective he details. He knows the people involved and has a solution that makes sense for the Drupal community. He calls it a “contributor credit” program.
Buytaer comes from the same world as Mullenweg. Drupal and WordPress are open source content management systems.
Still, open source is a tool for CEOs to use for profits, sometimes illusions, and leverage against commercial competitors. We’ve seen this with Meta CEO Mark Zuckerberg, who calls Llama, the company’s large language model, open source, which it is not.
And now we face someone who has long enjoyed a gleaming image in the open source community but now faces many questions about his intent.
Earlier in the week, we interviewed Mullenweg, who said WP Engine should fork WordPress.
“I think a fork would be amazing,” he told TNS. “They should fork WordPress, because what they offer is not actually WordPress. They call it WordPress, but they really screw it up.”
Mullenweg now wants to own a chunk of WP Engine, and he’s using his bully pulpit to pound away until he gets what he wants. He’s called WP Engine “a cancer.” He openly rails about the WP Engine executive team and Silver Lake, the private equity firm that has invested in it, using tactics we’ve become far too accustomed to from all sorts, who we don’t have to name here.
It’s a victim tactic. Mullenweg and Automattic, his holding company, talk like they are the victims of an evil plan, rooted in trademark violations. Following the victim’s logic, Mullenweg has to attack. He and his team have to block WP Engine from the WordPress servers.
Now comes the news from The Verge that WordPress demanded 8% of WP Engine revenues each month in exchange for being considered a contributor to the WordPress open source project. That would also mean WP Engine could not fork WordPress, but it would allow WP Engine to use the trademark.
The Verge:
“[C]hoosing to contribute 8 percent to WP Engine employees would give WordPress.org and Automattic ‘full audit rights’ and “access to employee records and time-tracking” at the company. The agreement also comes with a ban on ‘forking or modifying’ Automattic’s software, including plug-ins and extensions like WooCommerce.”
This raises questions about Mullenweg’s hearty support for a WP Engine fork. For perspective, WP Engine competes with Automattic. Just be clear on that one.
Mullenweg has made it confusing for almost everyone involved. There are huge supporters who want WordPress to survive, and there are end users who don’t have any clue about open source or even that their sites run on WordPress servers.
WP Engine, on the other hand, has its own issues. It does not give much in return for using WordPress. The company, under CEO Heather Brunner and founder Jason Cohen, uses the WordPress name. They call it fair use.
Further, WP Engine uses the work invested by the WordPress community into the service without the engineering overhead required if it had to maintain its own fork, which would cost millions and take quite some time to develop — a year, two, three?
What drama. If you are hearing about this for the first time, Mullenweg, who created the web content management system WordPress, has been relentless with his attacks on WP Engine for what he claims are trademark violations. It came to a head at WordCamp in Portland earlier in September when Mullenweg called WP Engine “a cancer” on the community.
On Sept. 23, attorneys sent a cease-and-desist letter to WP Engine on behalf of Mullenweg’s holding company Automattic and WooCommerce. Among its demands: that WP Engine stop all unauthorized use of WordPress’s trademarks and “provide an accounting of all profits from the service offerings that have made unauthorized use of our Client’s intellectual property.”
The letter suggested that “even a mere 8% royalty on WP Engine’s $400+ million in annual revenue equates to more than $32 million in annual lost licensing revenue for our Client.”
On Sept. 25, in lieu of action by WP Engine, Mullenweg blocked WP Engine’s access to the WordPress servers. He then gave a reprieve on Sept. 27 after users contacted him. Mullenweg said users thought they were paying WordPress, not WP Engine.
“They thought they were paying me, to be honest, that’s why they were pissed off,” Mullenweg said. “And so I was like, ‘Oops, OK, we’ll turn it back on.’“
WordPress blocked WP Engine’s access to its servers Tuesday at UTC 00:00.
The odd thing: no sign of trouble so far from WP Engine users; a WP Engine spokesperson declined to comment when contacted by TNS about whether the company had heard from customers having problems. WP Engine must have set up the mirrors and all to WordPress.org. How that affects performance and the rest is still not understood.
In our interview, Mullenweg said users now hopefully understand that they are paying WP Engine, which does not pay WordPress for auto updates and everything else WordPress provides. Users, he argued, should be mad at WP Engine, not him and his team, who run the servers. Again, Mullenweg expresses that he and his team are the victims.
WP Engine is simply not responding, Mullenweg said, except through a cease-and-desist letter its attorneys sent Automattic on Sept. 23 after his repeated attacks.
The letter sent on WP Engine’s behalf reads in part, “Mr. Mullenweg’s covert demand that WP Engine hand over tens of millions to his for-profit company Automattic, while publicly masquerading as an altruistic protector of the WordPress community, is disgraceful. WP Engine will not accede to these unconscionable demands, which not only harm WP Engine and its employees but also threaten the entire WordPress community.”
WP Engine did not answer The New Stack’s question about forking WordPress, but a company spokesperson did have choice words about Automattic’s licensing demands.
“We, like the rest of the WordPress community, use the WordPress mark to describe our business. Automattic’s suggestion that WP Engine needs a license to do that is simply wrong, and reflects a misunderstanding of trademark law. To moot its claimed concerns, we have eliminated the few examples Automattic gave in its Sept. 23 letter to us.”
For example, WP Engine has made some minor changes, namely changing WordPress to WordPress1 and WooCommerce1 on the site’s front page.
Overall, users had almost no warning that their sites would be disrupted. This is an odd way to treat users, especially when they are such huge fans of your platform.
Here’s where open source becomes a problem for users. Most people do not know how they get the updates to their CMS. But once their site stopped working, they became entangled in a battle between Mullenweg and WP Engine.
Meanwhile, most users are just trying to keep their sites working.
Post by @alexelnaugh
View on Threads
Amidst the controversy, Mullenweg acknowledged he could have done better in reaching out to the community.
“To be fair, I have not been the best at public relations or publishing things,” he told TNS. “That’s why we try to be very clear at UTC 00, Oct. 1 … at this exact time, their network, WP Engine servers will no longer be able to access our networks.”
But a fork? The cost to set up the servers, the network, the load balancers, on and on, would cost millions and could take years. At its peak, WordPress serves 30,000 requests per second and 40% of the entire Web, according to Mullenweg.
Users have an option, he said. They can move to a different hosting provider. He mentioned Bluehost and his own company, WordPress.com, as two options.
There has been confusion about open source AI and server-side public licenses. Now, we’ve got the WordPress debacle. Oh, and there’s talk about Oracle owning the JavaScript trademark. The fun never ends.
But people are working on the problem, particularly the single point of failure issue that has become more apparent since WP Engine’s servers were cut off.
Here’s a thread worth reading from Reddit, about how to solve the problem of a single point of truth. The problem is a severe one, but maybe a fork is not the answer. Instead, perhaps it’s a way to solve matters that can easily happen if sites aren’t updated:
The vulnerability should be apparent: if WordPress.org goes down for any reason, millions of sites stop updating. A coordinated attack (zero-day implementation coupled with a DDoS attack that prevents updates from going out from zero-day) could be a disaster the world over. And, if the Foundation ever decided to get out of the update business, or ran into financial difficulty, or Matt decides to retire to Aruba and quit WordPress entirely — whatever the case may be — there’s no Plan B.
So, the community needs a plan B — and maybe that’s most important. Stop the bickering. Instead, look for ways to modernize the WordPress infrastructure so users don’t get entangled in corporate wars that use open source as a proxy to fight battles that leave casualties scattered across the web.
YOUTUBE.COM/THENEWSTACK
Tech moves fast, don’t miss an episode. Subscribe to our YouTube
channel to stream all our podcasts, interviews, demos, and more.
“WPE’s nominative uses of those marks to refer to the open-source software platform and plugin used for its clients’ websites are fair uses under settled trademark law, and they are consistent with WordPress’ own guidelines and the practices of nearly all businesses in this space,” the lawsuit said.
Mullenweg told Ars that “we had numerous meetings with WPE over the past 20 months, including a previous term sheet that was delivered in July. The term sheet was meant to be simple, and if they had agreed to negotiate it we could have, but they refused to even take a call with me, so we called their bluff.” Automattic also published a timeline of meetings and calls between the two companies going back to 2023.
Mullenweg also said, “Automattic had the commercial rights to the WordPress trademark and could sub-license, hence why the payment should go to Automattic for commercial use of the trademark. Also the term sheet covered the WooCommerce trademark, which they also abuse, and is 100 percent owned by Automattic.”
Exhibit A in the lawsuit includes a letter to WP Engine CEO Heather Brunner from a trademark lawyer representing Automattic and a subsidiary, WooCommerce, which makes a plugin for WordPress.
“As you know, our Client owns all intellectual property rights globally in and to the world-famous WOOCOMMERCE and WOO trademarks; and the exclusive commercial rights from the WordPress Foundation to use, enforce, and sublicense the world-famous WORDPRESS trademark, among others, and all other associated intellectual property rights,” the letter said.
The letter alleged that “your blatant and widespread unlicensed use of our Client’s trademarks has infringed our Client’s rights and confused consumers into believing, falsely, that WP Engine is authorized, endorsed, or sponsored by, or otherwise affiliated or associated with, our Client.” It also alleged that “WP Engine’s entire business model is predicated on using our Client’s trademarks… to mislead consumers into believing there is an association between WP Engine and Automattic.”
Web hosting provider WP Engine has filed a lawsuit against Automattic, and WordPress co-founder Matt Mullenweg, accusing them of extortion and abuse of power. The lawsuit comes after nearly two weeks of tussling between Mullenweg, who is also CEO of Automattic, and WP Engine over trademark infringement and contributions to the open-source WordPress project.
WP Engine accused Automattic and Mullenweg of not keeping their promises to run WordPress open-source projects without any constraints and giving developers the freedom to build, run, modify and redistribute the software.
“Matt Mullenweg’s conduct over the last ten days has exposed significant conflicts of interest and governance issues that, if left unchecked, threaten to destroy that trust. WP Engine has no choice but to pursue these claims to protect its people, agency partners, customers, and the broader WordPress community,” the company said.
The case document, filed in a court in California, also accused Mullenweg of having a “long history of
obfuscating the true facts” about his control of WordPress Foundation and WordPress.org
Mullenweg had criticized WP Engine for infringing WordPress and WooCommerce trademarks. He called them the “Cancer of WordPress” and also called out WP Engine’s private equity partner, Silver Lake, for not caring about the open-source community.
Later, WP Engine sent a cease-and-desist letter, asking Mullenweg and Automattic to withdraw these comments. Automattic then sent its own cease-and-desist, accusing WP Engine of infringing WordPress and WooCommerce trademarks.
Notably, Mullenweg banned WP Engine on September 25 from accessing WordPress.org resources, including plug-ins and themes, and preventing WP Engine customers from updating them. Two days later, Mullenweg provided a temporary reprieve and unblocked WP Engine until October 1.
On Wednesday, Automattic published a proposed seven-year term sheet that it had sent to WP Engine on September 20, asking the hosting company to pay 8% of its gross revenues per month as a royalty fee for using the WordPress and WooCommerce trademarks.
Alternatively, WP Engine was given the option to commit 8% by deploying employees to contribute to WordPress’s core features and functionalities, or a combination of both people hours and money.
WP Engine didn’t accept these terms, which included a probation on forking plugins and extensions from Automattic and WooCommerce.
You can contact this reporter at [email protected] or on Signal: @ivan.42
WordPress biz Automattic details WP Engine deal demands • The Register
Daily Search Forum Recap: September 30, 2024
Google Volatility With Gains & Losses, Updated Web Spam Policies, Cache Gone & More Search News
6 Things You Can Do to Compete With Big Sites
Daily Search Forum Recap: October 1, 2024
An In-Depth Guide For Businesses
Nvidia CEO Jensen Huang Praises Nuclear Energy to Power AI
This Minimalist Lamp Lets You Pick From 16 Million+ Lighting Colors for Maximum Productivity
You must be logged in to post a comment Login