Intuit, the parent company of Mailchimp, is facing a lawsuit after a recent cybersecurity incident led to the theft of cryptocurrency from a Trezor user.
For the uninitiated, Mailchimp is one of the largest email marketing platforms, and Trezor is one of the most popular hardware wallets in the world for storing cryptocurrency.
The Registry recently spotted a lawsuit filed in federal court in Northern California, in which one Alan Levinson of Illinois claims he was the victim of a sophisticated phishing attack that resulted in tokens stored in his Trezor wallet being stolen.
Although he personally claims to have lost €87,000, he also claims that he is probably not the only one cheated and that the actual damages are likely to be in the millions.
Trezor users attacked
In early April, we reported a data breach at Mailchimp, in which attackers got away with over a hundred email lists. The mailing lists were then used to target people who fell victim to phishing attacks, with the aim of stealing their money and cryptocurrency holdings.
They also accessed the (now defunct) API keys of an unknown number of clients. With the keys, attackers could create custom email campaigns and send them to mailing lists without accessing the Mailchimp customer portal.
One of the companies whose clients were targeted by a phishing attack was Trezor. Shortly after the breach, Trezor customers began receiving an email saying that the company had experienced a data breach and asking users to download a program to help them reset PINs on their devices.
The program disguised a variety of malware that allowed attackers to steal the contents of the wallet.
The lawsuit claims that the low security standards of Intuit and Rocket Science Group (a subsidiary that runs Mailchimp) made such an attack possible.
"The hackers were able to gain access to the Trezor mailing list (and likely other non-sensitive information) through MailChimp and/or Intuit employee accounts," the lawsuit states.
"In fact, the defendants confirmed that the hackers used an internal employee tool to steal the data of more than 100 of their customers; the data is used to mount phishing attacks against users of cryptocurrency services."
The lawsuit alleges that Intuit "willfully, recklessly, or negligently" failed to protect its customer data and took too long to notify its customers of the breach.
Levinson is now seeking actual and punitive damages, as well as legal fees. He also wants to get paid for three years of credit monitoring.
Through the registry