Newsletter subscribers’ email addresses were leaked from Mailchimp

This post was originally published on Decentraland

Your email address may have been acquired by malicious actors due to a Mailchimp data breach; Please stay alert as they may use it to try to send you emails impersonating the Decentraland Foundation.

What do I have to do?

• NEVER download anything directly from an email. The Decentraland Foundation will never attach files to an email for you to download or ask you to download anything directly from an email. If we have something for you to download (such as our upcoming Desktop Client beta), we will direct you to decentraland.org for your safety first.

• If you click on a link in an email, CHECK THE URL of the page the link takes you to. Make sure that the URL always ends with ‘decentraland.org’. Always check that ‘decentraland’ is spelled correctly and that it ends in ’.org’ before taking any action on the webpage if you were directed there by a link. Here are some examples of how phishing scams may try to deceive you:

• In addition to confirming that the URL is correct, you can make your verification process easier by bookmarking any Decentraland pages you access frequently, such as the launch page. If you’re on a page that you think may be impersonating a Decentraland page (one that you had previously bookmarked), you can check to see if the bookmark star in the right corner of your search bar is highlighted, indicating if you’re on the real Decentraland page, as seen below.

How did this happen?

Mailchimp, the service that the Decentraland Foundation uses for sending out newsletters, was compromised on March 24 in a targeted attack against certain accounts that appear to all be related to the cryptocurrency industry. The Decentraland Foundation requested but did not receive full confirmation from Mailchimp that our account was one of the ones whose data was compromised until April 2.

Our newsletter mailing list (the email address of anyone who’s signed up to receive Decentraland newsletters) as well as some user’s names and IP addresses and timestamps are the only data that was accessed by the malicious actors.

The data breach only involved a download of data—the criminals never had access to our actual Mailchimp account and were never able to send verified emails from it. This means that if they contact you, they may try to use an email that looks similar to ‘@decentraland.org’ such as ‘@decentraland.com’, some other variation, or even ‘decentraland.org’ itself using coding techniques such as ‘ghost spoofing’. We strongly recommend that you follow our cautionary steps listed above and treat any email that looks like it’s from the Decentraland Foundation carefully.

What the Decentraland Foundation does to fight fraud

1. In relation to this situation, we were proactive and checked our Mailchimp dashboard to see if there was any unusual activity as soon as we heard there was a Mailchimp breach. After seeing some suspicious activity, our legal team requested more information from the Mailchimp team, and only then did we get confirmation that our account was one of the ones accessed. We are requesting additional data from Mailchimp and have asked them to report what security actions they will be taking now and in the future.

2. Over the past few months, our legal team has been actively looking for and taking down phishing sites that we’ve detected through the internet. This cat-and-mouse chase has been evolving on many fronts, such as with scam bots on Discord, fake look alike websites that show up in search engine ads, and fake social media accounts on platforms such as Twitter, Instagram, and Facebook.

3. Our team is always on the lookout for safer alternatives to all the services and providers it relies on to provide as secure an experience to our users as possible.

NEVER download anything directly from an email. Decentraland would only ask you to download files from our official website.

ALWAYS verify that the decentraland.org URL is correct before taking any action on a website.

Remember that the Decentraland Foundation will NEVER ask you for your secret passphrase and we will never host a payment directly in Decentraland.

Please report any suspicious communication you receive related to Decentraland to [email protected] so that we can do our best to further increase the security of the platform and our community.