Cryptocurrency and fintech customers are being urged to stay vigilant after email marketing company Mailchimp was breached in an incident that saw the accounts of over 300 Mailchimp corporate customers compromised.

Mailchimp’s CISO, Siobhan Smyth, said “an external actor conducted a successful social engineering attack on Mailchimp employees” which resulted in credentials being stolen and used to scrape audience data and access API keys that could have been used to send malicious emails from legitimate accounts.

“Out of an abundance of caution, we disabled those API keys, implemented protections so they can’t be re-enabled, and notified affected users,” Smyth said.

The attacker exported audience lists from 102 companies which led to targeted phishing campaigns against users of popular cryptocurrency and fintech services including hardware wallet company Trezor and metaverse application Decentraland.

Trezor, which sells small USB devices used to store cryptocurrency offline, published a blog post about the phishing campaign it said was “exceptional in its sophistication”.

Customers on Trezor’s mailing list received an email warning about “a security incident” in which the company’s software was hacked, stressing the need to “download the latest version of Trezor Suite”.

A link a the bottom of the email downloaded a spoofed version of Trezor’s official software. Users were prompted to enter the seed phrase that is used to recover wallets which would have seen crypto drained from their wallets.

Trezor said it doesn’t yet know how many of its customers fell foul of the phishing attempts, saying on Twitter that it would pause all newsletter communications “until the situation is resolved”.

“We are actively warning customers about the ongoing phishing attacks, having published warnings on our website and social media, and also within the Trezor Suite app,” the company said.

“We have already taken down many of the malicious sites associated with [the] attack.”

Blockchain-based metaverse company Decentraland also confirmed its mailing list was compromised in the Mailchimp breach, warning users to “NEVER download anything directly from an email”.

“The data breach only involved a download of data the criminals never had access to our actual Mailchimp account and were never able to send verified emails from it,” Decentraland said in a blog post about the breach.

Decentraland and Trezor both warned users to be on the lookout for fake domain names and check the sender on all email communications.

“Phishing emails usually present themselves as urgent,” Trezor said in a section of its blog post dedicated to helping people identify phishing scams.

“They may warn that your access to a service will be blocked access, that there has been a security breach, or that some other critical event needs your attention.

“If an email contains an urgent warning, verify such information on official channels run by the sender.”