This happened to a client of mine late last year and it was a challenging thing to get sorted and MailChimp people were wonderful, helping us through this.
What happened? Someone accessed her account, uploaded over a million addresses and started to send out phishing email saying that payment was due on an invoice and the recipient’s credit card was going to be charged. People began emailing and ringing my client anxious that she was going to charge their accounts for a large sum. Some were rude, many unsubscribed and when I became aware of it could see that emails were still going out via MailChimp. I halted it and contacted MailChimp support for help.
My poor client refused to answer the phone after some time – it was getting too overwhelming. Some of her clients contacted me because they wanted to know what was going on and couldn’t get hold of her. It was a real dilemma and challenge for my client, and for MailChimp too. Further my client was billed a huge amount by MailChimp because of the huge addition to her mailing list.
What could have been done to prevent this activity? I believe there are a few things here that could have saved my client some grief and wasted time too, not to mention the loss of some of her subscriber list and people getting angry for something she didn’t do.
- My client has had a multitude of people doing things for her over the years, often with the same password. If you are someone who uses VAs to support you, or you’re a VA taking over from someone else, I urge you to create a new password immediately. Whether it was someone who previously worked with her, or someone who had access to login details from a former worker, we have no way of knowing, but clearly changing it to a strong password would have helped in this regard.
- I was very amazed that MailChimp had allowed a very large list to be uploaded to an account without having some sort of alarm system or alert in place – even if it’s to contact the client direct (not via the MailChimp system) to make sure that the activity was genuine. Perhaps they could have a payment system or something in place for increments of a list when it’s clear that a very large list is being uploaded.
Once MailChimp was aware that my client and I weren’t the ones uploading the list or sending out the phishing email they halted the process but it took several days before they could clean the account back to what it was and let my client have access again. In the meantime she couldn’t send a broadcast email to the remainder of her active list advising what had happened. All she could do was wait as she didn’t have a back up copy of her list on her computer either. It was one of the first things we did when she could log in again.
Once my client had regained access to her MailChimp account, an email was sent out with an apology and assuring all her subscriber list that she didn’t have their credit card details and certainly had no reason to be invoicing them or charging them for anything.
I believe it’s important for us, as VAs, to protect our clients’ accounts and keep things as safe as possible. Alert them to possible problems, advise them that you feel passwords should be changed. I had mentioned before how important it was and this very happening was timely, but costly, for my client’s business. Consequently passwords for everything got changed thereafter.
Make sure you don’t use easy passwords either. Family names, birth dates, postal codes and places of living or birth are out. You can use an online password generator but then have to remember what the different passwords are. I often find using a six lettered word, split in half, with the initials of the account, MC for MailChimp, for example, plus some symbols and numbers inserted in the middle and around the word are a good way to remember passwords while making them at least 10 characters long and stronger.