Mailchimp owner Intuit has been sued by the Trezor hardware digital currency wallet users for its role in a phishing campaign through which many lost their digital assets to scammers.
In a lawsuit filed in the Northern District of California, plaintiff Alan Levinson accused Intuit, the U.S. financial software giant that owns Mailchimp, an email marketing service that the scammers exploited, of “intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure that its data systems were protected, failing to take available steps to prevent and stop the breach from ever happening, and failing to disclose the breach of personal information in a timely manner.”
Levinson believes that his personal information, and that of the other Trezor users who are members of his class-action lawsuit, was improperly handled and was not stored following applicable cybersecurity protocols.
The plaintiff, who is a resident of Illinois in the U.S., claims to have lost $82,000 while other members of the lawsuit cumulatively lost millions of dollars to the phishing campaign and wants actual and punitive damages from the Mountain View, California-based company.
As per the lawsuit, it all started when an employee of Rocket Science Group, an Intuit subsidiary that runs Mailchimp, clicked on a malicious link and granted the attackers access to the personal information of at least 100 Mailchimp users who were subscribed to the Trezor newsletter.
Armed with the emails, the attackers then engaged in a phishing campaign in which they lured the unsuspecting users to a fake Trezor website. On it, the users were directed to download a supposed new version of the Trezor desktop app, which turned out to be the attackers’ way in. They were able to get ahold of the users’ recovery phrase and made off with millions of dollars’ worth of digital assets.
Trezor acknowledged the data breach this month, telling users, “A scam email warning of a data breach is circulating. Do not open any email originating from [email protected], it is a phishing domain.”
We are investigating a potential data breach of an opt-in newsletter hosted on MailChimp.
A scam email warning of a data breach is circulating. Do not open any email originating from [email protected], it is a phishing domain.
— Trezor (@Trezor) April 3, 2022
Mailchimp also admitted that it had been breached, although it generalized the damage and claimed that the attacker was after digital asset companies.
The lawsuit follows another similar one filed by users of Ledger, Trezor’s main rival in the hardware digital wallets market, who sued Shopify for its role in a similar exploit. As CoinGeek reported, the lawsuit accused Shopify of “failure to exercise reasonable care in securing and safeguarding consumer information in connection with a massive 2020 data breach impacting Ledger.”
Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—a from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple, Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.