Skip to main content

Information about a Recent Mailchimp Security Incident

We’re committed to being transparent about the incident

At Mailchimp, our users’ security is our top priority, and we take our responsibility to protect the privacy of our users and their data seriously.

On March 26, our Security team became aware of a bad actor accessing one of our internal tools used by customer-facing teams for customer support and account administration. The incident was propagated by a bad actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised. We’re committed to being transparent with what we know and how we’re responding.

What happened and our response

As part of the same incident, on April 2, the bad actor attempted to send a phishing campaign to a user’s contacts from the user’s account with information they obtained during the March 26 attack. We were able to block the bad actor from the user’s account, notified the account owner, and immediately took steps to prevent further access to the Mailchimp platform. However, a phishing campaign was still sent to the user’s contacts through other means. Thus far, this is the only phishing campaign we’ve identified or that’s been reported by customers based on this incident.

Beginning on March 26, we opened an investigation and engaged outside forensics professionals to understand what happened and the potential impact. From the outset, we acted swiftly to address the situation by limiting employee access to internal systems. Given that it’s not uncommon for these types of incidents to include multiple attacks, we’re activating an additional set of aggressive measures to help ensure the security of our users’ data while this event is under investigation.

The impact

Based on our investigation to date, we found that 319 Mailchimp accounts were viewed and audience data was exported from 102 of those accounts. Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance. All owners of impacted accounts have been notified.

We sincerely apologize for the concern and uncertainty this may have caused for our users and their customers. We take pride in our security culture, infrastructure, and the trust our customers place in us to safeguard their data. We’re confident in the security measures we’re implementing and steps we’re taking to protect our users’ data and help prevent future incidents.

We are committed to continuing our investigation of this incident, and providing transparent communication throughout the process. We’ll update this statement with additional facts or findings as needed.

If you have any questions, please contact us here.

Thanks,
Siobhan Smyth
CISO at Mailchimp

FAQs

I’m a Mailchimp customer, was my data compromised?
While our investigation is still underway, our initial assessment found that 319 Mailchimp accounts were viewed and audience data was exported from 102 of those accounts. We contacted the owners of all impacted accounts via email. If you have not been contacted by Mailchimp, we have no reason to believe your account has been impacted at this time. If you have further questions, please contact Mailchimp support.

I believe I may have received a phishing email. What should I do?
If you suspect you’ve received a malicious or phishing email, do not click any links. If the phishing email appears to be from a company you’re a customer of, we recommend reporting it to that company directly.

How was the attacker able to access customers’ audience information?
A bad actor used social engineering to compromise a Mailchimp employee account and gain access to an internal tool used to assist customers. The bad actor was able to make use of this access to view customer accounts and export certain audience data.

What is Mailchimp doing to prevent something like this from happening in the future?
The security of our users’ data is our top priority. Given that it’s not uncommon for these types of incidents to include multiple attacks, we’re enacting an additional set of aggressive measures to ensure the security of our users’ data while this event is under investigation.

Published April 4, 2022

Share This Article