Hello Readers — Goodbye Mailchimp

Hello readers!

It’s been a minute — not because we took a long August vacation but because Mailchimp shut down our email service. It’s a story worth sharing.

There are three lessons here:

• No matter how committed you are to your own cybersecurity, it’s still possible to get caught up in the cybersecurity mess of a 3rd party provider.
• Even an IT advisor like Electronic Office can never take our technology partners for granted. Services from an industry giant like Mailchimp can become inaccessible on a moment’s notice.
• Multi-Factor Authentication can save your account (according to TechTarget, it saved theirs) and we consider MFA an essential safeguard to any account, whenever available. 

What Happened to EO Advisor?

In August, EO received notification that our Mailchimp account was “permanently suspended” without explanation. Our first inquiry came back like this:

We were surprised to notice that Mailchimp had removed its customer service phone number from their website, and confirmed that they no longer handle customer service by phone.

At this point, “Brett” became concerned (many of you know Brett—he leads client services at EO) that this could be a sophisticated phishing trick by a bad actor. Mailchimp wanted Electronic Office to click on a link and then have “Brett” provide an extensive amount of personal information (passport, drivers license, etc.) to validate the account. We recently wrote about BEC Fraud and this is how it starts. 

But no, this turns out to be real. Our CEO at Electronic Office called a senior sales executive at Mailchimp. Over the phone, the head of sales confirmed that Mailchimp had firewalled off its entire customer service department, even from internal salespeople like himself. He also confirmed that this was in response to a security incident at Mailchimp.

Upon close inspection, we found no red flags on our account. EO is using a carefully curated email list for the EO Advisor newsletter. There has never been a problem before and yet, instantly, our service was shut down for reasons that Mailchimp cannot or will not explain.

What Happened to Mailchimp?

We know what happened to us but we still don’t know why. A look at Mailchimp’s recent history begins to shed light on the situation.

Last November, Intuit (the owner of Quickbooks and other SaaS financial products) bought Mailchimp for $12 billion. Yup, that’s not a typo. $12 billion for an automated tool for sending out emails.

Within months of the acquisition—by April of 2022—Mailchimp confirmed a data breach after malicious hackers compromised an internal company tool to gain access to customer accounts. 

It’s not lost on our sense of irony that a giant in email services acknowledged that it was a victim of a social engineering attack. Mailchimp acknowledged that the bad actors got inside 300 of their client’s accounts and exported the audience data from 102 of these accounts.

Now, we wonder if Mailchimp ever really got to a place where they knew with certainty what happened or even if the bad actor(s) were completely removed from inside their systems. That’s because the news went from bad to worse in August.

On August 8^th, a respected and well-known cloud services company called DigitalOcean openly fired Mailchimp with a note to all customers that was released publicly:

We can’t directly connect DigitalOcean’s decision to a news release from Mailchimp four days later, but it is fair to conclude that Mailchimp had been trying to keep a much bigger problem from coming to light.  On August 12^th, Mailchimp posted a notice on their website that they were temporarily suspending all accounts for customers in the cryptocurrency space.

In their own words:

“In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further.”

Tech media investigations suggest that Mailchimp’s own post about this crisis, as bad as it is, still downplays what is happening at Mailchimp. Think about it, what better way to use email to trick people to do unfortunate things than to be able to do that from inside of Mailchimp’s customer email servers? Yikes.

While drafting this, EO accessed its Mailchimp account to delete payment information. That effort was met with this:

Not only was Mailchimp’s customer service site down, they were recommending Twitter as the best way to get updates. That’s not good.

Why Isn’t This A Bigger News Story?

We share this story because it is a fascinating look into the challenges of cyberattacks that all of us face today. We wanted our readers to know what happened to EO Advisor and to give a heads-up regarding Mailchimp.

The silver lining is that the outcome of Mailchimp’s bad situation might have been mitigated by the most important security protocol that every reader should remember: Multi-factor Authentication is a powerful tool that we all need to use consistently.

We believe that Mailchimp was forced to move at breakneck speed to shut down possibly compromised accounts and some accounts—like ours—just got swept up in their situation. We have no reason to believe that the email addresses we use to distribute EO Advisor were compromised. Nonetheless, you will notice—if you’re a subscriber to the EO Advisor emails—that email was sent to you using our new platform: Hubspot.

(NOTE: some of the information in this article benefited from reporting from TechTarget and Cybertalk.)