Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Chipotle’s marketing account hacked to send phishing emails

Chipotle’s marketing account hacked to send phishing emails

Hackers have compromised an email marketing account belonging to the Chipotle food chain and used it to send out phishing emails, luring recipients to malicious links.

Most of the messages directed users to credential-harvesting sites impersonating services from a financial business and Microsoft. A very small number had malware attachments.

Hacked Mailgun account

The campaign sent out in three days at least 120 malicious emails from a hacked Mailgun account used by Chipotle for email marketing purposes [].

Using a legitimate email address increases the chances of a successful delivery, especially when there are automated security solutions in place that check if email addresses pass the DomainKeys Identified Mail (DKIM) and Sender Policy Framework authentication methods.

Also Read: Data Protection Policy: 8 GDPR Compliance Tips

Almost all malicious emails impersonated Microsoft with the purpose of collecting login information. Email security company Inky says in a blog post today that they caught 105 such emails in this three-day campaign.

“Almost everyone has a Microsoft account, and logins there can lead to all kinds of interesting data, including other logins, trade secrets, financial details, and other intelligence” – Inky

The emails appeared to come from “Microsoft 365 Message center” and alerted the recipient of emails that could not be delivered “due to low email storage” in the cloud.

Clicking on the button that allegedly “released messages to inbox” would take the user to a fake Microsoft login page that harvested the sensitive information.

Chipotle-delivered phishing email impersonating Microsoft 365

The hackers also impersonated the United Services Automobile Association (USAA), a Fortune 500 diversified financial services group of companies, enticing the user to navigate to a well-crafted phishing site.

USAA phishing email delivered from hacked Chipotle address

The rest of the fake emails, two of them, posed as voicemail notifications and carried malware attachments. While Inky does not say what type of threat was delivered, business email compromise (BEC) fraudsters often use phishing to deliver information stealers to collect information helpful for the social engineering part of the scam.

Hacking an email marketing platform for phishing attacks has been described earlier this year as an entry vector used by Nobelium, the state-sponsored threat actor blamed for the Solarwinds supply-chain attack.

However, Inky says that they found no evidence indicating that the recent email phishing campaign is the work of the same group of hackers.

Also Read: 5 Types of Ransomware, Distinguished



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us