5 Steps to a More Secure MailChimp Account

News this week of a number of Australian Business customers being targeted by phishing emails sending an infected attachment. A message sent from one of the impacted companies suggests that the source of these e-mails are compromised MailChimp accounts.

Example of phishing email sent via a compromised MailChimp account.

Example of phishing email sent via a compromised MailChimp account.

As users of MailChimp, we understand the utility and power of the platform but we're very mindful of the risks associated with keeping your details there in aggregate.

MailChimp themselves provide some security best practices that provide a great starting point to keeping your subscriber data safe, but here are a few extra steps we've implemented that will help make your account less likely of being compromised in this way.


Step 1 - Use a Strong Password

A common way that accounts such as these get compromised is that the password protecting them is not great. Your first step to increasing the security of your account is to increase the strength of your password. Here are a few things to consider:

  1. Make it long: Go for something at least 8 characters, but the more the better
  2. Make it complex: Use a combination of letters, numbers and special characters
  3. Make it unique: Don't reuse the same password you've used elsewhere and instead of using a pattern that someone could guess consider using a password manager.

Step 2 - Activate Two-Factor Authentication

Eventually even the greatest password in the world will fail. That's why it's important to ensure something else (a second factor) is there to protect your account. Two-Factor Authentication basically means you need access to your phone when you log in, which is much harder for a Russian hacker to do.

Great news
If you enable Two-Factor Authentication in MailChimp, they'll give you a 10% discount!

MailChimp provide 2 options for Two-Factor Authentication in the Security settings page for your account (click on your name in the top right corner of the screen if you're lost):

Option 1 - Use an Authentication App

This option is a little more complicated to setup but more secure as it protects you in the event that your phone number is ported (yep, that happens).

Basically you download one of a few Authenticator apps (e.g. Google Authenticator) and then you link it up to your MailChimp account. Then whenever you login, you open the app on your phone and enter the 6 digit code when prompted.

Option 2 - Use SMS

If the whole Authentication App thing is a bit much for you, MailChimp also support Two-Factor Authentication via SMS. Here you enter your phone number and they will send you a 6 digit number any time you want to log in.

Step 3 - Log Out When You're Done

MailChimp kindly offers a "Keep Me Logged" In option whenever you sign-in. This makes it easy to get going, but isn't the greatest for security.


Two-Factor Authentication and a strong password are great, but if you stay logged into your account on your computer or phone and they get lost or compromised, both of those things can be bypassed.

Whenever you're finished with MailChimp, use the Log out option via the menu in the top right hand corner of the page.

Step 4 - Enable Login Notifications

This one is a bit less obvious unless you go looking for it.

At the bottom of you're Account > Profile page there is a section for Connections and Notifications. Here you have the option of being notified whenever something on your account changes or a someone logs in.

Turn them on

These notifications can be a bit annoying if you log into your account often, but will give you the best chance of responding quickly if something does happen out of the blue.

Step 5 - Check Your Integrations and Users

Phew. Almost there.

If you've been using MailChimp for a while, chances are you've expanded how you use it or maybe even started using it with other people. Over time these things can be easily forgotten and if left could leave your MailChimp account vulnerable to external compromise, either from other accounts with access or 3rd party apps (e.g. Facebook) you've might have hooked up.

Having come this far, the last step is to take a few moments to check what might me connected to your account. You should do this regularly, but now is as good a time as any.

There are 3 places you should review and consider removing access if unnecessary:

  1. Integrations (Account > Integrations): Applications that natively connect to MailChimp (e.g. Facebook or Ebay)
  2. Authorised Applications (Account > Extras > API Keys): 3rd party apps or services you've given access to via the MailChimp API
  3. Users (Account > Settings > Users): Everyone you've given access to your account to.

In particular with users you've given access to, consider the level of access you've given them and whether or not they've put the same security measures in place.

If you've given someone access to your account, send them this guide so they can keep it secure.

Bonus Step - Reduce the Temptation

Cyber Criminals love big lists like your MailChimp subscriber lists as you've already done all the hard work for them building it and establishing trust with your customers. The best way to keep your customers safe, is not to store their details in the first place.

While it may not have helped the companies mentioned at the start of the this article, it's worth taking a few minutes every now and then to ask yourself:

Do I really need to keep this data?

Do you really need to collect and store someone's address or phone number to send them an e-mail newsletter? If you collected anything more than a first name and e-mail address with MailChimp, consider removing it when it's no longer useful or export it somewhere offline securely and delete it.

Adam SelwoodPostBreach