As a new world of virtual fashion takes shape, so do the security risks — which is a lesson learned the hard way, after a MailChimp attack compromised Decentraland’s newsletter list just as its Metaverse Fashion Week got underway last month.
The organization received the confirmation this past weekend and emailed users on Monday. The attack targeted cryptocurrency accounts, according to the message.
“Mailchimp, the service that the Decentraland Foundation uses for sending out newsletters, was compromised on March 24 in a targeted attack against certain accounts that appear to all be related to the cryptocurrency industry,” it wrote. “The Decentraland Foundation requested but did not receive full confirmation from Mailchimp that our account was one of the ones whose data was compromised until April 2.”
Notably, March 24 was the first official day of Metaverse Fashion Week. Including early openings the day before, the five-day long affair drew a total of 108,000 unique attendees. From Wednesday through Sunday, designers and brands sold 7,065 wearables amounting to $76,757, while 165,861 free wearables were minted.
But the hackers did not have access to those transactions, at least not directly.
The attack on MailChimp used an internal tool for customer support and account administration to gain illicit access to accounts. The company found the breach on March 26 and traced it back to a “social engineering attack,” an exploit that takes advantage of human behavior or error, rather than a technical failing — such as a recipient clicking on a suspicious link in a phishing email.
In a statement provided to WWD, a Decentraland spokesperson clarified the scope.
”The newsletter mailing list (the email address of anyone who’s signed up to receive Decentraland newsletters), as well as some users’ names and IP addresses, and timestamps, are the only data that was accessed by the malicious actors,” the statement read. “We urge our community to be extra cautious of attempted phishing. Only Mailchimp’s servers were affected, and nothing on the Decentraland side has been compromised.”
Affected users may become more of a target for potential phishing emails, however, which is why the group offered tips to spot the difference between real and fake messages.
For instance, legitimate emails come from “@decentraland.org,” not “@decentraland.com,” but it’s all too easy to miss subtle differences. Even then, there’s no guarantee, since it’s possible to spoof an authentic sender address. The bottom line: Don’t download anything or click on links within emails, even if it looks authentic. Perform any needed tasks by separately visiting the site, and don’t share authentication credentials, especially for blockchain assets or crypto wallets.
Decentraland does not appear to have been specifically targeted in this attack, as hackers viewed 319 MailChimp accounts and exported audience data from 102 of them. One of those accounts was Trezor, a hardware cryptocurrency wallet. On Sunday, its users received phishing emails about a fake security breach, which in fact prompted them to download malware programmed to steal their cryptocurrency.
It’s not clear if any of Decentraland’s MVFW designers, brands or online patrons were affected by the attack. Spokespeople for the organization told WWD that they did not see any notification or data related to that, at least so far.
For brands — especially those dipping their toe into Web3, crypto or blockchain pursuits for the first time — the scenario makes for a bracing introduction. But it also offers a crucial and apt lesson: As more of fashion moves into the metaverse and a growing array of goods go virtual, there’s as much risk as potential reward. When it comes to matters of security, maybe even more so.