Intuit Sued Over Hack That Led to Theft of Cryptocurrencies

tech.hindustantimes.com:

Intuit Inc. was sued for failing to secure its email marketing service, which allegedly allowed hackers to steal cryptocurrencies from Trezor users.

Using a sophisticated phishing attack, hackers were earlier this month able to access cryptocurrency wallets sold by the Czech company Trezor, according to the lawsuit, filed Friday in federal court in San Jose.

Intuit’s Mailchimp email marketing service revealed on April 4 that hackers had penetrated its servers and harvested the “audience data” from 102 of its clients, including Trezor, according to the suit.

Using the data, the hackers sent phishing emails to Trezor users, warning them -- falsely -- that their accounts had been compromised and advising them to download a new version of what they claimed was the Trezor app, according to the suit. The phony app prompted users for their passwords and recovery codes, which the hackers used to clear out their digital wallets.

Alan Levinson, an Illinois man who filed the suit, said the hackers took cryptocurrencies worth $87,000 from his account.

The proposed class-action suit faults Intuit and its subsidiary Rocket Science Group LLC, which operates Mailchimp, but not Trezor. Intuit is accused of disregarding the rights of Trezor account holders by “failing to take adequate and reasonable measures to ensure that its data systems were protected.”

The hackers reportedly gained access to Mailchimp’s email accounts when one of its employees clicked on a malicious link in an email, according to the suit. 

“Defendants fell victim to one of the oldest cybertricks in the book,” Levinson claims in the lawsuit.

The suit is Levinson v. Intuit, Inc., 22-cv-02477, in U.S. District Court, Northern District of California (San Jose.)