If you think your MailChimp account has been compromised, the best thing to do is remain calm and act quickly. We'll list some possible weirdness points below and let you know what action to take.
I'm Receiving Password Reset Emails
Take the following steps from a secure machine; preferably one that is not on your network.
- Reset your password.
- Reset your Security Question and Answer.
- Reset your username.
- Reset your contact email address.
- Revoke Account Keys for any accounts that have been granted access to your account.
- Change any active API keys by deleting the active api keys and recreating new keys.
I'm Receiving Forgot Username Emails
Take the follow steps from a secure machine; preferably one that is not on your network.
- Reset your password.
- Reset your Security Question and Answer.
- Reset your username.
- Reset your contact email address.
- Revoke Account Keys for any accounts that have been granted access to your account.
- Change any active API keys by deleting the active api keys and recreating new keys.
I'm Seeing Email from Mailchimp Staff/Service Teams
If you're seeing Emails from the MailChimp Support Teams that you or someone from your team didn't initiate, that could be an indication that someone else is using your account.
Take the follow steps from a secure machine; preferably one that is not on your network.
- Contact our support team from a secure email address (not the one that is sending rogue emails). They will then turn off login and send capabilities on the account until you can reset your data.
- Reset your password.
- Reset your Security Question and Answer.
- Reset your username.
- Reset your contact email address.
- Revoke Account Keys for any accounts that have been granted access to your account.
- Change any active API keys by deleting the active api keys and recreating new keys.
I Think My List has been Stolen
Take the follow steps from a secure machine; preferably one that is not on your network.
- Contact our support team from a secure email address (not the one that is sending rogue emails). They will then turn off login and send capabilities on the account until you can reset your data.
- Reset your password.
- Reset your Security Question and Answer.
- Reset your username.
- Reset your contact email address.
- Revoke Account Keys for any accounts that have been granted access to your account.
- Change any active API keys by deleting the active api keys and recreating new keys.
Other
If you see any of the following please notify our Delivery/Compliance team.
- Someone tweeting, posting, or emailing spam from one of our users accounts.
- Reports of spam from one of our users in online forums.
- Any notifications of security breaches from our users.
How Does This $#!*& Happen?!?"
There are two ways this normally happens. The most common scenario is a "rogue employee" or "angry business partner" that had access to your MailChimp account. They got mad, then they got stupid. It happens. As you can imagine, this scenario usually gets resolved in court. If you need to contact our General Counsel or to send court orders preserving account data for your case, use this form: http://kb.mailchimp.com/contact .
Another way we've seen accounts stolen is when the MailChimp customer's computer has been infected with malware that "keystroke logs" everything you type. Your passwords (not just to MailChimp, but to your bank, your office network, etc) are stolen by the hacker, and then re-sold. Where are they re-sold? Imagine a nasty online market place out there where a hacker can go and say, "Hello, I'd like to purchase 3 passwords to XYZ Bank, and 2 passwords to ABC Online Store, and oh yeah -- give me 2 fresh passwords to 123 Email Marketing Service." Once they have your MailChimp password, they log in and do their damage. This is serious stuff. But as you might've already surmised, if your MailChimp password has been stolen, so might have all your other passwords on that infected computer. We're probably the least of your worries right now.
Will I be charged for this?
If your MailChimp account's been stolen, the last thing you're probably thinking about are MailChimp fees, but rest assured: you won't be charged for the emails sent by the person who broke into your account.