On January 23, 2024, at approximately 07:52 AM UTC, we identified a security incident involving unauthorized access to our internal admin panel. The breach was facilitated through a compromised staff account, and was limited to 117 customer accounts, of which 4 were used to initiate phishing campaigns targeting cryptocurrency wallets.
After carrying out detailed forensics, we concluded only 70 accounts were affected, not 117.
The breach was executed by unauthorized perpetrator(s) who conducted a social engineering attack on a MailerLite support manager, ultimately gaining access to the internal admin panel. They targeted accounts associated with cryptocurrency and initiated unauthorized campaigns from 4 accounts before we intervened and secured our systems.
We have confirmed that no other customers were affected.
In response to this incident, we've intensified our security training and are revising our internal processes to prevent similar breaches. Recognizing the human element in security, we are fast-tracking the deployment of FIDO2 devices for our team from Q2 to Q1. FIDO2 will add another layer of security by requiring a physical key for internal access, significantly reducing the risk of such breaches.
Additionally, our support system provider who was also targeted in this attack, has implemented fixes to address the security flaw exploited in this incident. While we cannot disclose specific details, we can assure you that these enhancements will provide an added layer of security to our support interactions.
MailerLite will report this cyber security incident as a data controller of its EU clients to the Irish Data Protection Authorities as per our obligations under the General Data Protection Regulation. We have also consulted our affected customers to contact their respectful data protection authorities and inform them about the data breach within 72 hours from the time that MailerLite became aware of it. Additionally, we have provided communication channels in case they need any further assistance from our side.
We’ve already notified the primary contacts of all affected accounts less than 8 hours after our initial discovery, providing them with the next steps for securing their accounts. For all our other customers, there is no evidence that your account was compromised.
We believe in the utmost transparency with our users, especially regarding security issues. Our communication regarding this incident was delayed to ensure the accuracy of the information and immediate closure of all security vulnerabilities. We are committed to learning from this experience and continuously improving our security measures to protect your data and trust.