Cyber Incident Victim: Mailchimp
Date:
Nov 2016
Location:
Australia
Summary
Hackers compromised Mailchimp accounts to distribute phishing emails disguised as legitimate invoices from multiple Australian businesses, including a news outlet and a comedy club, directing recipients to malicious .zip files containing malware. The fraudulent messages exploited the service's distribution reach, prompting affected companies to issue warnings urging customers to delete the emails. Mailchimp identified and disabled the compromised accounts through routine compliance checks, stating no evidence of a platform breach but emphasizing the importance of user security measures like two-factor authentication, suggesting unauthorized account access via reused credentials facilitated the attack. The incident demonstrated abuse of trusted email marketing infrastructure for malware distribution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around November 23, 2016, hackers compromised Mailchimp customer accounts to distribute malicious emails impersonating legitimate businesses. The attackers sent fraudulent messages to subscribers of multiple Australian companies, including Business News Australia, Sit Down Comedy Club in Brisbane, and Jim’s Building Inspections. These emails displayed subject lines such as "Here’s your invoice! We appreciate your prompt payment" and falsely claimed affiliation with Quickbooks accounting software. Embedded "View Invoice" buttons directed recipients to download a .zip file identified as malicious by VirusTotal scans. Business News Australia confirmed its Mailchimp subscriber database had been hacked, notifying recipients via a follow-up email advising deletion of the fraudulent message. Similarly, Sit Down Comedy Club issued an automated response warning subscribers about the spam email and emphasized no association with Quickbooks. Jim’s Building Inspections attributed the incident without evidence to a "known cyber terrorist."
Mailchimp detected the malicious activity through routine compliance monitoring early on November 23 and disabled a small number of compromised accounts. The company stated no evidence indicated a breach of Mailchimp’s own systems, attributing the incident to unauthorized access to individual customer accounts. All identified fraudulent activity ceased after account deactivation. Mailchimp’s public response included a recommendation for users to enable two-factor authentication, suggesting compromised credentials or password reuse as potential attack vectors. The incident demonstrated attackers exploiting third-party email distribution platforms to leverage trusted customer relationships for malware distribution. Affected organizations faced reputational risks and operational disruptions, with Business News Australia acknowledging ongoing investigations while assuring subscribers no unauthorized charges occurred. The coordinated phishing campaign highlighted the broader threat of supply chain attacks against service providers with large subscriber networks.