On January 19, 2023, Yuga Labs, the company minting Bored Ape Yacht Club (BAYC), one of the most successful NFT collections, revealed on Twitter that its Mailchimp account was affected by a recent data breach. Although Yuga Labs claimed not to have used this account for transactions related to non-fungible tokens (NFT), it warned the public about possible suspicious activity.
Mailchimp is one of the most popular platforms used for creating, maintaining and automating marketing campaigns. It has earned its reputation due to its user-friendly design, report and analytics tools, easy integration with other platforms such as Salesforce, Shopify and Magento as well as flexible pricing plans.
According to the official report published by Mailchimp on January 13, 2023, the intrusion occurred two days earlier as a result of a social engineering attack. Such an attack is performed by social engineers who psychologically manipulate their victims into revealing desired information that can be used for further illegal actions. The unauthorized actor used compromised employee and contractor credentials to access 133 Mailchimp accounts, including Yuga Labs.
In its Twitter post, Yuga Labs stated:
„The data contained in our Mailchimp account was information from a couple of email campaigns involving a limited number of people. Mailchimp is strictly used for email communications, not mints.”
Still, concerned about security, Yuga Labs asked its customers to stay vigilant and not share any sensitive information if they receive a direct message request. The company also indicated that no "surprise mints" are planned. Yuga Labs will notify its customers via email if data leakage is detected.
Yuga Labs is one of the leading projects on the market of digital collectibles. Yuga Labs generates revenue from secondary sales of its BAYC, CryptoPunks, Meebits and other popular collections. The company's NFTs are sold at record prices, making them a symbol of luxury going beyond the digital world.
The purchase of a BAYC NFT grants the owners membership in a private online club and entitles them to attend its exclusive events in person. Right before the disclosure of the security breach, a collector using the pseudonym "Pokee" had spent nearly $1 million on a bulk purchase of 69 DeGods NFTs.
Unsurprisingly, Yuga Labs, valued at $4 million in 2022, is a lucrative target for malicious Internet users. For instance, on June 4, 2022, the company experienced an intrusion that allowed the hacker to post phishing links via a compromised Discord account belonging to Boris Vagner, the BAYC staffer who is also responsible for managing this project. The attack resulted in the theft of 200 ETH ($360,000 at the time) in NFTs. This incident was preceded by three other attacks during the same year.
This is not the first intrusion incident for Mailchimp, either. Last March, the company discovered a similar social engineering attack that allowed hackers to steal data from 102 of the nearly 300 accounts they were able to view.