The Target: Klaviyo, an email marketing firm.
The Take: Exposure of client’s Personally Identifiable Information including: names, addresses, emails, phone numbers, and two internal customer lead lists.
The Vector: The attacker penetrated Klaviyo’s internal systems by tricking an employee to give up their company credentials through a phishing attack, allowing the threat actor to access systems with all the privileges of the stolen login.
This breach highlights critical need for employee training to protect a firm against phishing attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.