Klaviyo security incident
Last week, we identified suspicious activity coming from the Klaviyo account of an employee and identified that the employee’s login had been compromised as a result of a phishing attack. We want to be as transparent as possible, share what we know and what we are doing to respond to the event.
On August 3, we identified a Klaviyo employee’s login credentials had been compromised, as a result of suspicious activity from our internal logging and a user report. This allowed a threat actor to gain access to the employee’s Klaviyo account and, as a result, some of our internal support tools.
We immediately revoked access for the compromised user and removed the threat actor from our systems. We began an investigation alongside a leading cybersecurity firm and notified law enforcement.
While the investigation is still ongoing, at this time we know:
- The threat actor used the internal customer support tools to search for primarily crypto related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment information. The information downloaded contained names, email addresses, phone numbers, and some account specific custom profile properties for profiles in those lists or segments. All of these accounts have been notified with the details of which profiles and profile fields were accessed or downloaded.
- The threat actor also viewed and downloaded two of Klaviyo’s internal lists used for product and marketing updates. These exports included information such as name, address, email address and phone number. The download did not include any passwords, password hashes, or credit card numbers. The download also did not include any account data for subscribers who have a Klaviyo account. All impacted individuals have been notified.
What could come next
We are concerned about potential phishing or smishing efforts by the threat actor and want our customers, contacts, and employees to be skeptical of any password reset requests, requests for payment info, or emails from unusual domains. We have also seen new websites copying the Klaviyo layout trying to obtain Klaviyo logins. There may be a spike in phishing campaigns and look alike websites in the coming weeks.
For the security of all our users and customers:
- Password resets are never initiated by Klaviyo employees on your behalf. If you did not initiate a password reset, do not click on any links sent to you.
- Klaviyo will not send you a text message or SMS to ask for login details. Password resets are only supported via email.
- Klaviyo employees will not call you to ask for your password.
- Klaviyo only sends emails from the klaviyo.com domain and authenticated by SPF and DKIM records.
- Klaviyo will only ask you to log in through the klaviyo.com domain.
- For all users, we recommend enabling multi-factor authentication. You can learn how to do that here.
In addition, we quickly took the following steps to limit access and functionality to our internal support tools:
- We have further limited access to our internal tools to our private network (VPN) and Klaviyo issued devices.
- We are further restricting the ability for Klaviyo employees to download account data.
- We are updating our internal algorithms for detecting suspicious user behavior based on data from this attack.
- We are also taking additional steps to enhance our security and to prevent a similar attack from occurring in the future, and remain committed to improving our security through regular assessments.
Our customers come first and we consider safeguarding data as one of our foundational responsibilities. We sincerely apologize that this happened. We’re committed to transparency and will update this post as needed.
—Andrew Bialecki, CEO
I might have received a phishing email or SMS. What should I do?
If you have received a suspicious email or SMS that appears to be from Klaviyo, do not click on any links and forward the communication to firstname.lastname@example.org. If the suspicious communication appears to be from a brand you are a customer of, please report it directly to the brand or business.
Was this a ransomware attack?
No. There was no unauthorized encryption of systems or data nor was there a ransom request.
Did the attacker get direct access to any Klaviyo servers?
No. The threat actor compromised employee credentials that granted them access to our internal support tools.
Has the event been contained?
At this time we have confidence that we have removed the attacker from our systems. Our internal security team and external forensic experts are nonetheless still completing the investigation.