A phishing attack compromised the Mailchimp account of Troy Hunt, founder of Have I Been Pwned, exposing contact records for approximately 16,000 newsletter subscribers. The attacker moved from credential theft to database extraction in under two minutes — a timeline that bypassed any manual detection or intervention.
Anatomy of the Mailchimp Phishing Operation
The attack began with a phishing email impersonating an official Mailchimp support notification, warning of account restrictions due to alleged spam complaints. The urgency framing — a classic social engineering pressure technique — prompted Hunt to enter credentials on the attacker-controlled domain mailchimp-sso.com. The iOS Outlook app’s truncated sender display prevented the spoofed domain from being immediately visible, which contributed to the compromise. Cloudflare eventually blocked the malicious domain roughly two hours after the attack.
Mailchimp’s Authentication Gap
The incident revealed a concrete limitation in Mailchimp’s account security: the platform’s two-factor authentication relies exclusively on TOTP-based authenticator apps and SMS codes. Neither FIDO2 hardware security keys nor passkeys are supported. Phishing-resistant authentication standards — specifically WebAuthn and FIDO2 — are designed to block exactly this class of attack, because the cryptographic handshake is bound to the legitimate domain and cannot be replayed on a lookalike site. Mailchimp’s absence of hardware key support meant that even a correctly configured 2FA setup offered no protection against a real-time phishing proxy.
Scope of the Breach
The exported data included contact details for 7,535 records — a mix of current subscribers and users who had previously unsubscribed. Hunt disclosed the breach publicly on his blog, providing full transparency about the incident timeline and affected data types. Mailchimp API key rotation was the immediate containment step, blocking further access after the fact. All affected subscribers received breach notifications consistent with responsible disclosure practice.
Mailchimp Users and Newsletter Operators at Risk
Any organization or individual running a Mailchimp newsletter faces the same authentication risk if they rely solely on TOTP-based 2FA. Marketing teams, security researchers, journalists, and SaaS operators who use Mailchimp to manage subscriber lists are potential targets, particularly those with large or high-value lists that represent attractive data for spammers, credential stuffers, or social engineering campaigns.
Locking Down Your Mailchimp Account
- Enable 2FA on your Mailchimp account if not already active — TOTP app (Google Authenticator, Authy) is stronger than SMS, but neither is phishing-resistant.
- Treat any email about account restrictions or compliance issues as suspicious — verify by logging in directly at mailchimp.com, never via links in the email.
- Rotate API keys immediately after any suspected credential compromise and audit connected third-party integrations.
- Use a password manager so Mailchimp credentials are unique and never reused across services.
- Advocate for hardware security key support through Mailchimp’s feedback channels; in the interim, consider whether your subscriber list risk profile warrants migrating to a platform that supports FIDO2 authentication.
Hunt published a detailed incident post-mortem on his blog, which has become a reference case for how real-time phishing proxies bypass TOTP-based 2FA. The broader lesson for the email marketing industry is that platform-level support for phishing-resistant authentication is not optional for services holding subscriber data at scale.
