Ecommerce marketing automation platform Klaviyo has suffered a data breach that allowed attackers to access its internal systems and steal customer data.
The marketing firm says the breach occurred on Aug. 3 after the attackers managed to steal login credentials of a company employee.
“We identified an employee’s login credentials had been compromised, as a result of suspicious activity from our internal logging and a user report,” the notification reads. “This allowed a threat actor to gain access to the employee’s Klaviyo account and, as a result, some of our internal support tools.”
The attacker was apparently interested in information related to cryptocurrency customer accounts. After accessing Klaviyo’s internal systems, the hacker used support tools to search for crypto-related accounts and download internal lists with customer names, addresses, email addresses and phone numbers.
“The threat actor used the internal customer support tools to search for primarily crypto related accounts and viewed list and segment information for 44 Klaviyo accounts,” the company explained. “For 38 of these accounts, the threat actor downloaded list or segment information. The information downloaded contained names, email addresses, phone numbers, and some account specific custom profile properties for profiles in those lists or segments.”
The hacker also accessed and exfiltrated two internal lists used for product and marketing updates, which included the same assortment of contact information of customers.
“The download did not include any passwords, password hashes, or credit card numbers,” Klaviyo added. “The download also did not include any account data for subscribers who have a Klaviyo account.”
In response to the data breach, the company says it revoked access to the compromised employee account and notified law enforcement.
The investigation into the security incidents is ongoing and Klaviyo urges both customers and employees to remain vigilant against phishing and smishing attacks.
Klaviyo reminds all users and customers that:
· Employees never initiate password resets on your behalf and should never access unsolicited reset links
· The company won’t send text messages that request you verify or confirm your login details
· Employees will not call customers and ask for their password
· They should enable two-factor authentication on their accounts
Want to find out if your information was exposed in a data breach or leak? Bitdefender’s Digital Identity Protection, our privacy-focused service, automatically searches for leaked personal data online (including on the dark web), sending you real-time alerts when any of your private information has been exposed.
If you’re worried about fraudsters abusing your identity and financial information, check out our new Bitdefender Identity Theft Protection plans (available for the US only) that offer real-time data breach monitoring and fraud monitoring, among many other perks, to protect against identity theft.
Read more about our identity protection and privacy solutions here.