Mailchimp claimed in ransomware attack, but security experts say data not worth the hype

Mailchimp, the popular email marketing platform, has been claimed by the Everst ransomware group along with a cache of “internal company documents” that some security insiders are referring to as ‘breadcrumbs.’

The global email and marketing automations platform was posted on the Everest dark leak blog on July 26th, according to the ransomware group's entry.

“The leak of your internal company documents contains a huge variety of personal documents and information of clients,” it said.

The alleged exfiltrated “767 mb database” is said to contain a total of “943536” lines – a drop in the bucket compared to the reported 333,635,013,935 emails sent out by the company on behalf of clients in 2020.

One X user mocked the alleged breach, calling it “Like one customer,” but more on that below.

Headquartered in Atlanta, Mailchimp was founded in 2001 with additional locations in New York, London, and Sydney, and has over 1500 global employees, the Mailchimp website states.

According to a 2024 report by the digital marketing firm EmailTooltester, that same year, the all-in-one marketing platform boasted 14 million active users, an annual revenue of $61 billion, and two-thirds ownership in the world’s email market share.

In 2021, Mailchimp was acquired by Intuit – the parent company of fintech platforms TurboTax, CreditKarma, and QuickBooks – in a deal worth $12 billion.

Leak samples are 'Much Ado About Nothing'

Everest posted two alleged database samples on the leak site, and, in a fairly new tactic, has apparently recorded its instructions in some sort of voice message that will only be available until the group’s ransomware countdown clock expires.

As of Thursday, Mailchimp has four days left to purportedly negotiate a ransom with the gang. “Company representative should follow the instructions to contact us before time runs out,” the group wrote.

Malware repository vx-underground, which first posted about the claim on its X account Thursday, said the amount of compromised data “ seems remarkably small for a vendor as large and widespread as MailChimp.”

Other security insiders also weighed in on the claim stating, “That’s probably 300 milliseconds worth of mailchimp data. Likely a client of a client’s emails were leaked.”

Another X user posted “Yeah, I would have expected GB-levels, just due to the sheer number of years they've been collecting data.”

Yet, another simply said, “We got yer crumbs. Come and get them.”

We got yer crumbs. Come and get them.

undefined Keith Anderson (@keithbelfast) July 31, 2025

In an update to the story, on Friday Intuit spokesperson Tania Mercado told Cybernews that "the company was "aware of the claims regarding Intuit Mailchimp’s systems.

“The security of our products and our customers’ data are among our highest priorities. Based on our investigation at this time we have no evidence to suggest any security incidents or exfiltration of data from our systems,” Mercado said in a statement.

Who is Everest?

The Russian-linked Everest gang first emerged on the scene in July 2021. On July 25th, the group identified the popular Crumbl cookie company as one of its latest victims.

Crumbl has since disappeared from the Everest victim leak site, leading to speculation that the US-based gourmet dessert franchise decided to fork over an undisclosed ransom payment.

The gang also posted the BitBox crypto management and Bitcoin cold storage company, claiming to have stolen a plethora of internal documents from the Switzerland-based firm, including sensitive client information.

Security researcher Dominic Alvieri posted about the BitBox attack on X, “Everest did post samples that appear to be recently fulfilled orders from BitBox redirected with identifiable hardware wallet purchaser data. I would be concerned.”

Everest did post samples that appear to be recently fulfilled orders from BitBox redirected with identifiable hardware wallet purchaser data.

I would be somewhat concerned here https://t.co/iNjbN7NA1Q pic.twitter.com/v5Q5JzmUbf

undefined Dominic Alvieri (@AlvieriD) July 30, 2025

According to Cybernews’ dark web tracker Ransomlooker, the gang has listed 248 victims since 2023, with 90 victims in the past 12 months, including a recent spate of attacks targeting the Middle East.

“Everest is quite bold in their targeting and doesn’t hesitate to go after sensitive sectors, government agencies, and hospitals,” Martin Vigo, lead security researcher at AppOmni, told Cybernews in May.

According to Vigo, the group has shifted its tactics over the years, relying less on encryption to lock down systems and more on stealing and leaking data, using their dark leak site as a “pressure mechanism.”

"Victims are publicly named, and partial datasets are published to demonstrate the seriousness of the breach. This creates reputational and legal pressure, particularly for high-profile targets, and increases the likelihood of a payout.” Vigo said.

Believed to be connected to the BlackByte ransomware group, on May 22nd, Everest set its sights on Coca-Cola’s Middle East division, eventually leaking the data of nearly 1000 employees from the company’s multiple distribution centers scattered throughout the region.

Seemingly part of a broader attack on Coca-Cola Europacific Partners, the world’s largest Coca-Cola bottler, the ransomware group also reportedly made away with an alleged 23 million records.

Just days after the attack on Coca-Cola, Everest claimed the prominent international private hospital Mediclinic, which has locations in the UAE, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB) on May 26th.

The gang was also behind the October 2022 attack on AT&T, offering alleged access to the entire AT&T corporate network and the Radisson Country Inn and Suites hotel chain in fall 2024.