Your Marketing Automation Tool Could Be Hacked; How to Avoid Data Loss
Posted: Sun Dec 22, 2024 7:09 am
Mailchimp was recently hacked twice within a six-month period, and the second time, hackers used social engineering to gain access to the platform's customer data.
These recent attacks on Mailchimp make us rethink whether we are paying due attention to the security of the tools we use, especially those that can store sensitive data, such as marketing automation platforms .
With this in mind, we asked the expert teams at MATH MKT and MATH TECH to highlight and remind you of some simple but important resources and processes to ensure the security of your customers' data:
Data ingestion: Regulate the data that will be sent to the tool, restricting the ingestion of sensitive data and transferring only that which is essential for your campaigns. It is a simple way to limit the amount of your customers' information that may be exposed, especially sensitive data such as documents, addresses and financial data.
Define systemic ID: Define systemic ID with a unique user identifier without using any document or other sensitive data for this purpose.
Business rules: Keep more complex rules, which require more data, outside the tool, in addition to optimizing processing, ensuring that no unnecessary data will be entered into the campaign database.
Roles and permissions: Always use the tools' native resources to define roles and malaysia phone number example permissions for each access user, limiting the freedom to manipulate and view settings and data to only what is necessary for each person.
User monitoring: It is also very important to carry out external control of the tool and the people with access to it, and to trigger the user disabling process whenever necessary, for example, in the event of a shutdown.
Audit reports: Some tools have native reports of the accesses performed, it is always important to store a history with these logs to guarantee material for any future investigation.
Rules for creating passwords: It is extremely important to define complexity when creating access passwords, whether for users or APIs. Several tools have resources to manage and control this complexity, in addition to defining session timeouts, password expiration times and login attempts, points that are also extremely important for access control.
Session time out: 2 hours
Login expiration timeout: 30 days
Login attempts before lockout: 3
Minimum username length: 6 characters
Minimum password length: 8 characters
Password complexity: 1 alpha, 1 numeric, 1 special character
Password expiration time: 30 days
Multifactor authentication: An increasingly common feature in tools is the use of this functionality, which grants access only after successfully passing some other authentication mechanism. There are several ways to carry out this process, from confirming codes received via SMS to proprietary apps that authenticate access, this varies depending on the tool.
In addition to the above points, there are more complex and sophisticated features that can bring more security such as data encryption, sending without data retention, "tokenized" sending and IP restriction lists.
Remember the Mailchimp case
On January 11, Mailchimp suffered a hacker attack that used social engineering so that, through its employees and contractors, it could use their passwords to gain access to the data of 133 company accounts.
One of the clients that was the target of the attack, e-commerce giant WooCommerce, said the breach may have exposed the names, web addresses and email addresses of its customers. However, it said no customer passwords or other sensitive data were obtained.
Another similar attack happened in August 2022, when social engineering compromised the credentials of its customer support team, granting the intruder access to Mailchimp's internal tools.
The first attack had access to data from more than 200 tool accounts.
Due to attacks like these, it is worth analyzing whether the tool you use has most of the features we mentioned in this article, and if these points make you rethink whether you are using the correct tool in the correct way, contact us and we will help you with this analysis
These recent attacks on Mailchimp make us rethink whether we are paying due attention to the security of the tools we use, especially those that can store sensitive data, such as marketing automation platforms .
With this in mind, we asked the expert teams at MATH MKT and MATH TECH to highlight and remind you of some simple but important resources and processes to ensure the security of your customers' data:
Data ingestion: Regulate the data that will be sent to the tool, restricting the ingestion of sensitive data and transferring only that which is essential for your campaigns. It is a simple way to limit the amount of your customers' information that may be exposed, especially sensitive data such as documents, addresses and financial data.
Define systemic ID: Define systemic ID with a unique user identifier without using any document or other sensitive data for this purpose.
Business rules: Keep more complex rules, which require more data, outside the tool, in addition to optimizing processing, ensuring that no unnecessary data will be entered into the campaign database.
Roles and permissions: Always use the tools' native resources to define roles and malaysia phone number example permissions for each access user, limiting the freedom to manipulate and view settings and data to only what is necessary for each person.
User monitoring: It is also very important to carry out external control of the tool and the people with access to it, and to trigger the user disabling process whenever necessary, for example, in the event of a shutdown.
Audit reports: Some tools have native reports of the accesses performed, it is always important to store a history with these logs to guarantee material for any future investigation.
Rules for creating passwords: It is extremely important to define complexity when creating access passwords, whether for users or APIs. Several tools have resources to manage and control this complexity, in addition to defining session timeouts, password expiration times and login attempts, points that are also extremely important for access control.
Session time out: 2 hours
Login expiration timeout: 30 days
Login attempts before lockout: 3
Minimum username length: 6 characters
Minimum password length: 8 characters
Password complexity: 1 alpha, 1 numeric, 1 special character
Password expiration time: 30 days
Multifactor authentication: An increasingly common feature in tools is the use of this functionality, which grants access only after successfully passing some other authentication mechanism. There are several ways to carry out this process, from confirming codes received via SMS to proprietary apps that authenticate access, this varies depending on the tool.
In addition to the above points, there are more complex and sophisticated features that can bring more security such as data encryption, sending without data retention, "tokenized" sending and IP restriction lists.
Remember the Mailchimp case
On January 11, Mailchimp suffered a hacker attack that used social engineering so that, through its employees and contractors, it could use their passwords to gain access to the data of 133 company accounts.
One of the clients that was the target of the attack, e-commerce giant WooCommerce, said the breach may have exposed the names, web addresses and email addresses of its customers. However, it said no customer passwords or other sensitive data were obtained.
Another similar attack happened in August 2022, when social engineering compromised the credentials of its customer support team, granting the intruder access to Mailchimp's internal tools.
The first attack had access to data from more than 200 tool accounts.
Due to attacks like these, it is worth analyzing whether the tool you use has most of the features we mentioned in this article, and if these points make you rethink whether you are using the correct tool in the correct way, contact us and we will help you with this analysis