The email marketing enterprise Klaviyo was recently the victim of a data breach.

Hackers obtained access to the firm’s internal systems on August 3 after obtaining employee credentials using phishing tactics. Once seen as a nuisance, phishing has risen through the cybercriminal ranks to become a powerful tool that allows a wide range of actors like hackers and ransomware gangs to gain a foothold on company systems.

Personally identifiable information (PII) stolen

During the illegal incursion, the hacker downloaded dedicated marketing lists employed by accounts related to cryptocurrency, but also for Klaviyo marketing and product updates. PII that was stolen in the attack includes customers’ full names, email and postal addresses, and telephone numbers.

Once inside Klaviyo’s systems, the threat operators behind the attack employed internal tools to download the lists that contained details of 38 different customers who operate in the cryptocurrency industry.

A security notification released by Klavyio, explained in greater detail:

“The threat actor used the internal customer support tools to search for primarily crypto related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment information. The information downloaded contained names, email addresses, phone numbers, and some account specific custom profile properties for profiles in those lists or segments.”

The hacker group also downloaded a pair of internal lists that were used by Klaviyo for issuing company product updates and promotional emails to customers. These lists also contained a wealth of personal information to assist contact.

Actions taken after system penetration

Klaviyo recently stated that after discovering the breach it has notified law enforcement agencies. However, it has also engaged the services of a third-party cybersecurity company to investigate the attack and how the network was breached.

The automated marketing specialist has warned its subscribers that they should keep a watchful eye open for targeted smishing and phishing attacks that employ their stolen personal data.

In a security-focused blog post, Klaviyo commented:

“We are concerned about potential phishing or smishing efforts by the threat actor and want our customers, contacts, and employees to be sceptical of any password reset requests, requests for payment info, or emails from unusual domains.”

The company also mentioned that it had identified bogus websites that were designed to resemble the layout of Klaviyo login pages. This is a common trick used by malicious actors to steal and harvest user credentials for use in future campaigns or for sale on the dark web. Report indicate that multiple threat actors are already actively seeking data from the Klaviyo breach.

As the attack is recent, cybersecurity experts believe that in the short term, the data taken will most likely see private use by hackers or will be traded with other malicious actors. However, they have not ruled out the chance that it will later be leaked entirely for free through hacker forums. This type of move is engineered to earn kudos for cybercriminal gangs from their peers, raise their profile and attract new hacker talent to further their activities.