At Mailchimp, the security of our users’ data is our top priority.
On August 8, our Security team became aware of an unauthorized actor accessing one of our tools used by customer-facing teams for customer support and account administration. The incident was propagated by an unauthorized actor who conducted a social engineering attack on Mailchimp employees, and obtained access using employee credentials compromised in that social engineering attack.
What happened and our response
Across the tech industry, malicious actors are increasingly deploying an array of sophisticated phishing and social engineering tactics targeting data and information from crypto-related companies. In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further. We took this action to protect our users’ data, and then acted quickly to notify all primary contacts of impacted accounts on August 10 and implement an additional set of enhanced security measures. We did not suspend accounts based on their industry, and we are committed to continuing to serve crypto companies. In fact, we reviewed our Standard Terms of Use and Acceptable Use Policy in light of our commitment to bringing innovative crypto solutions to our customers.
On August 22, we followed up with an email to the account owner for all affected accounts with steps to help users reinstate access to their Mailchimp accounts safely. If you have questions regarding a notice you received or the incident in general, please reach out to here.
The Impact
Based on our investigation to date, it appears that 214 Mailchimp accounts were affected by the incident. Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance.
We realize this may have caused uncertainty for our users and their customers and apologize for the disruption. We are continuing our investigation and proactively providing impacted users with timely and accurate information throughout the process.
Published August 12, 2022. Last updated on August 22, 2022.