To people mentioning public shaming. I had a mailing list with them removed with all contacts lost and account banned without even notifying me. Customer support indeed responded, but with something like your account was banned because you are involved into cryptocurrencies (i had hashcash.io - no selling or buying of crypto is even close) and we completely wiped all your data.
Only after a hint about possible public shaming, someone sent me data dump with all the emails and names. So they lied in the first response (all data is wiped and unrecoverable) and only responded to a threat.
> So they lied in the first response (all data is wiped and unrecoverable)
Not defending Mailchimp, but keep in mind the perspective and context. To a customer support agent using some backend interface, it very well could be "completely wiped". To an escalation team, they may be able to pull it from backups in an "unofficial" manner.
The antecedent of "they" in the previous sentence is the company, not an individual. The individual creating the email, as a person, probably was not lying BUT since they were acting as an agent of the company, in an official capacity all of their actions were that of the company as a whole.
This shields them from individual liability as well as makes the company liable for their actions (as long as they are acting as agents of the company in an official capacity).
The customer has no business relationship with the individual customer support person, so whether they are lying or telling the truth is irrelevant to the customer -- they do have a business relationship with the company (a single actor, with multiple agents) and the company can easily tell lies via these agents.
If the above narrative is correct, the company did very likely tell a lie since the fact that the customer's data was recoverable was probably known by the company and also the company likely actively worked to make the opposite of this known via their agents.
That's... ambiguous. Agents aren't liable for contractual violations, but agents are typically liable for torts. Liability depends on exactly what the employee did.
AFAIU, theoretically an employee committing a tort could be liable personally as well as the employer; and if service is disrupted the employer could be contractually liable.
Also keep in mind the perspective and context that the end user has no way of knowing.
And even if the data can be recovered in an unofficial manner whether they will actually bother is highly unlikely if they care as little as they most obviously do.
So, as a user it is a pretty safe bet to just assume it is gone (but do keep poking).
"Your data has been deleted" pretty much has always meant that it was deleted from the live servers and that the deletion will propagate through backups depending on the orgs retention policy/requirements.
MailChimp, the organization, first stated that all data was completely wiped, and when threatened, promptly produced the previously wiped data. MailChimp, as an organization, lied. It doesn't matter if the support agent didn't have the capabilities or not, that's an internal thing.
The organization knows that they have the data, but they trained their staff to reply that it was destroyed.
That's a lie. Not an untrue statement, but a deliberate lie.
If I turn on Windows Backup on my Mom's laptop and she right clicks a file and selects "Delete" is the expected behavior that it be deleted in every backup as well?
> Are you suggesting that the delete command shouldn't be trusted because there might be a backup of the file somewhere?
No, the exact opposite in fact.
Am saying that if you weren't told there's a backup, you'll not think there's one and treat the data as completely deleted, even if they really aren't.
We don't know the exact messages. If the poster asked for a copy of his data and was told it was deleted, then yes, that was a lie (although possibly the person sending the message genuinely might not have known better, which puts the fault more nebulously at "the company"). If they asked why their account was gone and the response said "all data has been deleted" without offering a copy of it, it's just bad service.
(Although given privacy regulations, it's a bad sign if a support agent can't give a precise answer about data stored or at least know not to make unchecked claims about it)
Either the data is deleted or it's not. If I send you a GDPR request, you reply "it's all deleted" then at a later date, data magically appears, that's an obvious per se violation.
>>"Your data has been deleted" pretty much has always meant that it was deleted from the live servers and that the deletion will propagate through backups depending on the orgs retention policy/requirements.
No it doesn't. Deleted most places means deleted and gone forever. There are a number of legal requirements (in the U.S.) at least when dealing with certain government organizations, and many non ones as well surrounding this. Think of it this way, a customer comes and says, there is sensitive information on your server, and since we no longer want to do business with you, you are now required to delete it. Normally there is an end date to allow the backups to be purged through propagation etc., but at the end, when they say it's deleted, it means deleted from everywhere. Sometimes this also means completely wiping drives so there is absolutely no trace of it left.
That's...fascinating. While we have lots of corporate personhood, I normally disregard blaming specific actions on a company because at the end of the day a person makes the call. But here you've pointed out that a company, operating as a collection of people, can "act" in ways that may be unintentional or may be deliberate, but are hard to pin down to a specific person.
Definitely worth considering in more depth, thanks for the perspective.
It's the main reason for corporate structure in the first place. To shield individuals from personal liability. CEO tell VP who tells Senior Manager who tells Department Manager who tells worker bee to do something. Everyone has an out. They either were "misunderstood" or they were "following instructions"
Yknow the paperclip maximizer? The thing where a paperclip company makes an AI that takes over everything, making it into paperclips? Well, actually you don't need any fancy AI. The paperclip company is already a [Local Currency] maximizer from the start.
Check out The Myth of the Machine by Lewis Mumford, specifically the second volume The Pentagon of Power, which gets into the idea of the modern "megamachine"
Exactly. Corporate structures, governance, and regulation have been formulated to treat corporations as "persons".
Well, that "person" lied. Regardless of the specific agency it employed in doing so.
(And, this type of banning and cut-off from data is obviously -- just look at the comments here -- not a one-off scenario. I find it difficult to believe that the consequences, including the customer's lost access to their data, were not thought about by MailChimp, as an organization and by people in their official roles within MailChimp.)
P.S. As I've grown older and observed and thought about things, I've come to see this as a primary role of the corporation or other such entity: To "dilute" responsibility and accountability to the extent that no member -- or, no member who has sufficient influence, who "matters" -- is ever held personally accountable for their actions within and on behalf of the corporation. [Addendum: And, in turn, the corporation is never truly held accountable, because the employees involved "lacked knowledge". Nicely circular, eh? By the way, I don't consider paying a dollar amount that is often a fraction of the gains realized by the behavior, to be "being held accountable".]
I've stopped letting people in such corporate or institutional roles off the hook, just because "they didn't know". Or rather, I've stopped letting the corporations and institutions off the hook because employee X didn't know. All too often, it's set up precisely that way and on purpose.
The first level support person isn't lying if he/she doesn't truly know whether the data is recoverable. A manager higher up, who approved the script and knows better, is lying however. To the end user it makes no difference who the liar is, only the the lie is being told.
It goes lots deeper than that. It's not uncommon for corporations to be setup to prevent leaking or discovery of sensitive information. Military intelligence agencies are notorious for that.
Top executives maintain ignorance of operational unpleasantness. Technical staff know operational specifics, but little about business design and usage. Intermediate management know pieces of business design and usage, but nothing about technical implementation.
Nobody needs to lie, and still there's often no way to know for sure what happened.
I once had a job where I eventually figured out this was implicitly was I was hired to do, be the guy who gets lied to so it's not a lie when you tell the customer. I didnt last long.
You exaggerate, but actually, this is a good reason to avoid accusing people of lying unless you understand the situation pretty well. Honest mistakes do happen a lot.
It doesn't matter if the individual people at MailChimp were liars.
What matters is that the institution as a whole - the way their policies and procedures come together - lied.
The institution certainly knows of it's capabilities. It deliberately chose to not tell that to it's CS reps, because of a multitude of reasons, that come down to 'It makes our/their jobs easier.'
My ISP, for example, lies to me every time I make a call to customer service. Is the front-line CS rep lying to me? No. But his employer is, by making him tell me a pile of bullshit about why my Internet is busted - again.
Well, but that's anthropomorphizing. Institutions don't really know things, people do. Getting stuff out of one person's head to all the people that could use it actually takes a lot of effort. (Look at how terrible medical record systems are.)
As a manager of a customer service team, everyone on my team knows exactly whether something has been "totally wiped" or not, regardless of whether it's something that would require developer intervention to recover. To have your reps not understand this and ultimately mislead the customer (or, in this case, I suppose former customer would be more accurate) is a management/training problem, and what the rep ultimately said on behalf of the company was a lie as a result.
I have to disagree with this wholeheartedly because sometimes you don't want to set the expectation with a front-line representative that the data is recoverable. In many cases, you don't want reps promising to recover data that's potentially unrecoverable. It's one thing to recover data in the event of a mistake on behalf of the company but that should require a conversation with someone outside of front-line customer service. I've been in situations too many times where our front-line team knew when something had not been "totally wiped" and they turned out to be "totally wrong" because they were aware that we kept backups but not aware that we had a strict retention policy outside of a specific timeframe or, in other cases, where a hardware failure caused a loss of a specific set of data because it was marked for deletion and wasn't scheduled to have a backup anyways. The customer had cancelled their account and agreed to losing their data but didn't actually read the terms of the cancellation they agreed to and then returned over a month later asking for their data and a rep told them that it's not really lost because we keep backups every 30, 60, and 90 days. That part was true for live accounts but not for deleted accounts.
In other words, data recovery that can't be handled by the customer service reps and that requires developer intervention should be a "surprise and delight" sort of situation and not a "customer should expect this" type of situation.
Saying you know when you don't is a lie. Instructing people to say they know when they don't is instructing them to lie on your behalf.
The answer should be: "I can't know." Followed by one of: (1) Let me connect you to someone who can know (2) Let me tell you how much it costs to find out (or 3) Also we don't care.
>Saying you know when you don't is a lie. Instructing people to say they know when they don't is instructing them to lie on your behalf.
Because, in that case, the intent of the statement is to deceive. If the intent of the statement is simply to not set an expectation that can't be guaranteed rather than to intentionally deceive, then it's not a lie, in my opinion.
I work in audio editing and recovery/enhancement and there are situations on a regular basis where we tell customers that their audio can't be recovered. I don't think we're lying to customers in saying that despite the fact that, in some cases, we may be able to recover or enhance the audio to the point where it's usable if we invested an exorbitant amount of time on it. In the most literal sense, yes we can recover the audio but in the practical sense and, most importantly, to the customer we can't recover the audio in any meaningful way because they either can't afford the work necessary, we don't have the resources to devote to that work, or we can't guarantee that, even if we can recover it, it's acceptable for whatever purpose they need it for despite being "good enough" for us.
I agree with what you say. I think the trouble starts when the economical burden of recovery is not on the customer, but on the company.
If I tell somebody that something's unrevocerable because I know they wouldn't want to pay the recovery, I'm not lying. But saying nothing can be done when I'm just afraid of the cost of righting my mistake: that is lying.
The correct response is to tell the customer that it has been deleted from the main server, and that it MAY be recoverable with escalation to the dev team. Why would you even consider telling them anything else, if that is not the truth?
Agreed, regardless of whether the rep can see it or not, they should be trained properly and reply that they no longer have access to the data, and that access would require an escalation of some sort. To simply say the data is gone is a straight up lie.
A lie is a falsehood that's meant to deceive someone. A rep saying the data is gone because, functionally, it is is not a lie. If the intent is to set proper expectations with a customer then I think telling them it's gone and potentially being able to say "actually, we were able to recover it by escalating it" is better than "we may be able to recover it by escalating the issue" because you're underpromising and overdelivering. The opposite just sets you and the customer for failure.
There's nothing nefarious about customer service not having access to every single possible data record on a customer. In fact, I'd be concerned if customer services had access to archived backups or raw server logs.
For most intents and purposes, data existing only on archived backups or raw server logs is "completely wiped".
There's nothing nefarious about customer service not having access to every single possible data record on a customer. In fact, I'd be concerned if customer services had access to archived backups or raw server logs.
Irrelevant, customer service can know if the data record exists without having access to it.
For most intents and purposes, data existing only on archived backups or raw server logs is "completely wiped".
My intent and purpose in asking the question may not be part of "most", yet it's still valid.
I wonder about how they detect cryptocurrencies and if every mailing list that deals with security is going to get tagged. Makes me wonder if any other words are problematic. I wonder if any historical societies use MailChimp to announce their lectures? Might be interesting to see if they got shutdown. Tumblr might not be the only ones having a bit of a problem in proper detection. Reminds me of the YouTubers who do animated history and their changing of all WWII German logos to the YouTube logo to keep away the demonetization.
I was apart of a finance student group in college. We used MailChimp to tell members about meetings. I remember our account got automatically flagged and locked once because newsletter contents included details about a forthcoming stock pitch presentation, and that apparently was close enough to a ToS violation that MailChimp froze us.
The funny thing was that our student group was allowed to directly invest a trivially small portion of the university's endowment in the stock market, so we were not soliciting others to buy stocks - the presentation was a confidential, internal one about how to invest our fund's own money.
I hope everyone already using or considering using MailChimp reads this. Denying access to your mailing list even if you violated their terms is insane.
Banning accounts with no warning is already bad enough - ideally they'd just disable your ability to send emails until the issue was resolved, but at least I can accept that.. but to steal people's mailing list in the process? What the fuck.
OP here. To be clear, I did not violate their TOS. And deactivating an account for inactivity is not entirely unreasonable, especially a free account.
What is unreasonable IMHO, and the reason I want to bring this to people's attention, is deactivating an account without a warning, without even a notification, and with no way to recover. That is a ticking time bomb that I was simply unaware of. I never even imagined that a company as successful and popular as MC could have such an inane policy. Obviously, if I had know, I would have done things differently. All I can do now is sound the alarm so that other people don't step on this land mine. (And maybe public shaming will convince MC to give me my mailing list back, but I'm not counting on it.)
P.S. One of the problems here is that "inactivity" is ambiguous in this case. I had not logged in to my account in a long time, but people were signing up for my list. I assumed that would count as "activity".
The irony is that if MC had sent me an email saying that I needed to upgrade to a paid account in order to keep it active, I would have sent them a check without hesitation.
That's one of the frustrating things about this. MC has turned this into a lose-lose when it really didn't have to be.
That's the big takeaway here, in my opinion. Regardless of the fault with MailChimp (and I do think they're at fault here), you should never rely on a free service if it's mission critical to your business and there should never be a single point of failure like this. If this really was as critical as OP claims it is, then they should have taken more care to ensure that this wasn't even possible.
For data you care about, you have backups. It's better than being angry later, regardless of whether you're angry at some company or at yourself (for not having backups).
Backups also make your life longer, because of reduced stress. Otoh, you spend some of that extra time making backups, but it's still a win win, I guess. :D
How difficult was it to set up an SMTP server? I know that merely installing and configuring the software isn't that hard, but the common opinion of late seems to be that setting up things like MX records(I really don't even know how those work) is too onerous. If it's not that difficult, then there really should be fewer people/orgs relying on services like MailChimp.
Setting that stuff up is not that hard, you can even just use unix Sendmail.
What's hard is actually making sure your emails get delivered and don't end up in the spam folder.
Starts with the easy stuff like DMARC (needs DKIM & SPF), goes further to properly warming your IP's, then to properly parsing hundreds of different error response messages and good retry scheduling, and to complex problems like individual mail receivers spam and max-throughput rules.
Also these companies sell you the ability to easily make campaigns targeted at a specific subset of your contacts.
Setting up MX records isn't hard at all but also irrelevant here—it's needed to receive mail.
As for sending out mail, one of the difficulties that MailChimp and similar services take care of is keeping the servers' IP addresses out of spam lists.
There are indeed issues with delivery, but you just work through these as they arise. Also, there is no monetization involved, so I do not care that much about delivery rate. But if your profits are directly tied to delivery rate - hoting own SMTP server might not work as well.
Way to patronize someone trying to be self-sufficient.
Just because you read blog posts titled "DON'T HOST YOUR OWN MAIL", doesn't mean you shouldn't. People are scared of hosting their own mail servers because they
a) are told they shouldn't
b) don't understand SMTP.
I am all for decentralizing this hyper-centralized internet.
Sorry, I'm old enough to have come from the era of "DIY" mass emailing which transitioned (rightfully so) to using providers like Constant Contact/MailChimp. I've seen first hand the drawbacks of emailing thousands of people via your own SMTP server. Blacklists, legal threats, deliverability issues, proper unsubscribe, formatting etc. And this was early 00's when much of the legal framework around email marketing was either non-existent or weakly enforced.
Maybe I'm too old? Has email come around to the point where someone can host their own email and send out thousands of emails without having to deal with a mountain of headaches again? That would be sweet, maybe I can go back to telling clients it's okay to paste a massive list of email into their Outlook's BCC field? It would certainly save them some money. I still to this day hear from clients who send "small" mass emails wondering why their friends at AOL, or <insert your ISP here> didn't get the email.
Sorry but this is based on my direct, first hand experience with hundreds of small businesses doing this exact thing. I don't base my business model off of some random blog post, I base on years of experience and the lessons learned from getting burned.
I'm guessing that people who are criticizing you have mostly never run SMTP services for a decently sized ISP (something with its own AS number, big chunk of ARIN IP space, peering, etc).
I run my own smtpd for personal purposes, but if I were going to send outgoing customer-contact mails en masse, I certainly wouldn't do it through my personal perfectly-configured postfix system. Things like mailchimp fill a market niche.
We've been sending our email through our own servers since the early 00's. In my experience it's never been that bad if you are a good actor and follow best practices. Hell, even if you're a spammer and follow best practices you might still get through. But if you don't know what those are you will most likely go to the spam folder.
Regardless, hosting your own mail isn't the same thing as using outlook's BCC field.
I think email has come round to the point where you can, if you really want, run your own SMTP server and send out thousands of emails without having to deal with a mountain of headaches again, yes.
Tens or hundreds of thousands, maybe not. (And I'm assuming that this isn't email that the recipients are going to consider is spam.)
I think there are two major reasons for this improvement: DKIM basically works, and far fewer recipients are using email accounts provided by crappy ISPs.
I've provided "backyard" shared hosting for a handful of customers for about a decade, some of whom have mailing lists sizing up into a thousand recipients or so. I do encourage them to use proper mailing list services, but for the most part, shipping it all through my mail server works fine and there really aren't that many headaches.
Some basic good hygiene and some effort put into gently educating customers on how email works has gone a long way.
My biggest headache today is in receiving mail, not sending it. Because so many other people have followed advice like yours and jumped onto one crappy mail service or another, the originating network for an email is no longer a good signal for whether it's spam or not.
It indeed depends on personal circumstances. In my case my case sending mail through own SMTP server is not a problem.
Even if that would be a problem in future, you'd rather use one of SMTP PaaS (there are quite a few of them out there) instead of using fully integrated solution like Mail Chimp. I.e. you can use Mautic and connect it to Sendgrid or something like that. This way you have full ownership of mailing lists and newsletters content.
People are scared of hosting their own SMTP server because hosting an SMTP server is woefully insufficient for actually having mass mailings reliably delivered.
The hard part isn't actually sending the mail, the hard part is staying abreast of the already long and perpetually growing list of legitimacy signals you need to send to reassure understandably paranoid SMTP clients that they shouldn't mark your newsletter as spam. And you're not done even when the server is set up and configured properly; it doesn't take more than a handful of ignored complaints to start getting added to blacklists.
It's not difficult, per se, but it is a huge time investment for a service that centralized vendors can provide extremely cheaply because of economies of scale.
I'm all for moving toward decentralization too, but we're not going to get there from here if we don't understand and respect the incentives that lead people toward centralization in the first place.
FWIW I've been running my own SMTP client/server for many years (I wrote them myself for my purposes, it's hobby stuff), with the proper SPF records it gets accepted by Google & co. no problem. Only residential Internet IP range are generally blacklisted by default by antispam filters.
We've had a similar experience. We use them for both marketing mass emails and for ingesting support ticket emails (I believe that's through Mandrill). Someone sent a marketing email they didn't like (they said another one of their customers complained about it, or something; literally one complaint) and so they silently shut off our incoming email. We noticed it when one of our customers called to ask why we hadn't replied to one of their support tickets. They didn't bother to tell us.
It's a big bag of "do not recommend".
(As for how we manage to use them for incoming email; emails go to a gsuite inbox, which forwards them to MC/Mandrill, when then calls a webhook to actually process the email further. Yes, we could do way better with our own SMTP server that cuts them out. I think this architecture was chosen to have a failsafe in the event that our services all go down.)
And yet I still get junk from MC senders for which I never subscribed. I report as spam, but those people still keep sending with no problems. (Anecdote, I report as spam an email sent to me@mybusiness.com, then get emails from the same sender at info@mybusiness.com, support@mybusiness.com and finally to emails that aren’t even real such as contrived first_initial_lastname@mybusiness.com (which aren’t in use but go to a catchall, so clearly some “marketing person” just added me to a list without any consent at all.)
At all times these are reported as spam. Then, when we, a few years ago sent out a new feature announcement and a request for a follow up appointment, our account gets frozen for sending unsolicited marketing emails — to our actual customers who have opted in to our emails! Emails that complied with every bit of the anti-spam laws. So Mailchimp arbitrarily lets through their massive enterprise senders sending actual unsolicited emails but freezes their smaller (but still paid) customers sending marketing to actual, current customers.
Anecdotes aren’t data, but for us, it was reality.
I seem to be constantly checking "I never signed up for this mail list" buttons on MailChimp unsubscribe pages. Eventually I got curious if this actually does anything and looked into it; as far as I could tell from their docs, it does nothing but inform the mailer that you are of the opinion that you never subscribed to their list. Very useful.
A secondary MX record doesn't solve the problem of "accept email and silently route to /dev/null".
Aside telling the sender or receiver, there's no good way to know. I guess you could send a test email every hour.... But this is an evil failure mode. This isn't an accident.
They wouldn't shut you down if they received just one complain, there is a very explicit process for opt-out / unsuscribe that you have to comply with. You're probably not telling the whole story here.
Not disputing that sometimes that might be the case, but I knew someone who was using a shady list, sending out to 20k+ people, and every time they sent out a blast they got multiple complaints...but never shut down.
Are you speaking on behalf of MailChimp? Are you aware of their internal practices? Are you an official spokesperson? If so, I’d love an official response. Otherwise, I think there’s a ton of evidence here (from people I trust even) that disagrees with you.
1) project updates
2) in full compliance with their documentation
3) no preseeded list, users signed up on their own accord
It boggles my mind why anyone would use MailChimp. The most important trait for a good organization is ethics. When they acquired Mandrill, they did the same to PAYING customers[1]. They even turned off comments on the blog post of the announcement. And ever since they did these shady things, they super-charged their SEO to hide any mention of this fiasco. If you do a quick Google search for "mailchimp mandrill" you would no longer see the slew of articles of rants of paying customers like you used to. Really, the worst ethics I've seen in any internet company.
I stopped using MailChimp ever since and even though their integration is much simpler, I do not use them for my clients. Every now and then I do have one or two clients wanting to integrate with them, but I do honestly warn them of what they're capable of and be the judge.
It's not like they're cheap. Their plans are pricey and yeah, they do have good deliverability, but the competition has caught up ever since. The only way they're able to keep existing accounts is by passive-aggressive scare "Watchout, we have the best deliverability and if you move elsewhere for price concerns, you have tons of these problems to deal with, including deliverability, so stick with us".
This is 2018. No one should be using MailChimp. There isn't any good reason to.
> It boggles my mind why anyone would use MailChimp.
I've had similar bad experiences with MailChimp and Mandrill. Their customer support is very defensive over both technical and account issues, even when you've already done the work of identifying the problem for them.
People continue to use MailChimp because of its marketing halo. They even had a flattering New York Times feature in 2016.
Luckily most emails we send are transactional so new projects are able to use AWS SES, Postmark, or SendGrid.
They are very attractive to small businesses who don't even know Mandrill exists. Relatively well known brand, quirky marketing, good integration with other sites/apps, and free up to 2,000 subscribers (which many small businesses can only dream of!). It's relatively simple to make a decent looking email with their UI, even though I'm not a huge fan of it.
By the time you hit that 2,000 subscriber limit you're comfortable and stuck. I've used them before, my main issue (apart from price) is their poor automation/segmentation logic.
Been there, done that. Two years ago Mailchimp deactivated our account without notice, and no explanation at first. This also impacted our transactional mails via Mandrill as the account was linked to the deactivated Mailchimp account.
Even after a lot of pleading they didn't reactivate it, and there responses were generally unhelpful and in hostile language.
In the end it turned out that appart from our paid(!) main account, an intern from the marketing department created another account some time ago which hadn't been in use for a few months already.
So in the end a coworker and me spent the night rewriting our transactional mailing to hook up Sendgrid instead, with no problems since then.
Did you ever consider SES? I've been using Sendgrid for about two years to handle lead distribution to client CRMs (Automotive). They have good documentation and are super easy to integrate. Although, I wish the delivery notification endpoint supported multiple webhooks.
I don't think we really considered SES, to be honest.
We had to move pretty fast when we made the switch. My coworker tried Mailgun (which didn't verify our domain fast enough), while I tried Sendgrid.
There was also the added bonus that we had a free paid tier from Sendgrid as part of our accalerator program, so we had planned to switch to Sendgrid anyway.
I’m glad this got posted and I hope this gets resolved and MailChimp does the right thing (I’ve also upvoted the OP).
But man, I don’t envy companies deep in the anti-spam/fraud business. The impression I’ve gotten is that when you act with a lighter touch and/or give lots of info about why an account was closed, spammers/fraudsters weaponize that and either figure out how to bypass your controls or social engineer your support.
I hope I’m wrong. Any thoughts on how a company should balance good service to users (and false positives) with the need to fight black hats?
> Any thoughts on how a company should balance good service to users (and false positives) with the need to fight black hats?
Charge money.
A big part of why MailChimp responded this way is that they have a very generous free plan. With that they can't afford to dig deep on free plans that violate ToS. You'll get buried under the weight of support/vetting for that.
Once you start charging even a little bit, the amount of spam/fraud BS you have to deal with plummets.
Every hurdle your free plan introduces to blasting out emails adds friction for spammers. Give them enough friction and they'll move on somewhere else. Forcing them to provide a valid credit card before they can send emails is a great way to add that friction.
Generally, having enough humility to recognize that you might be wrong, and enough compassion to care about the little guy would go a long way.
For example, they could notify the owner of the account after deleting it. And allow them to download their data. It's not hard to do, it does not open them up to social engineering, and it does not incur per-customer cost.
Nor does it facilitate continuation of spam, in fact it hits legitimate users way more than spammers - spammers bought their lists and have copies, while users who legitimately grow their lists through sign ups usually don't make copies.
I think a good starting point is to take the existing process and add a more formal appeals process for people who feel their accounts were unjustly terminated.
My little sister works in customer support for a fairly large email marketing company that competes with MailChimp. From hearing her talk about some of her conversations with users booted from the platform I think a good number of spammers sincerely believe they have a legitimate business and are confused to hear they've been flagged for spam. A lot of these people seem to only know enough about the internet to be dangerous. Preaching about passive income has gone main-stream in the last few years and many spammers are just ordinary people who have been conned into buying email lists from some "internet guru" to run a "click funnel business."
It's kind of like prison. Everyone says they're innocent. Some guilty people might even sincerely believe they're innocent. But when everyone is saying they didn't do anything wrong it's really hard for the person who actually didn't do anything wrong to get "justice."
Unrelated, I would love it if a publication profiled a few spammers. I suspect they're very different from how most people imagine them.
Great point. I had a non-tech-savvy friend who “accidentally” got into spamming, and had no idea what he was doing was wrong or antisocial. He simply got hooked with one of those “make $$$ from home easy!!” scams where they send you a pre-baked spamming kit and convince you that you’re a businessman with an incredible opportunity. He came to me for help when he started getting banned everywhere and his emails stopped going through. I told him he was scammed and that the “kit” he paid for was junk mailer scheme, but he swore up and down that no, he’s an entrepreneur and that all the problems must be his competitors “hacking him.”
I felt bad for him that he had no idea what it was that he was doing but I couldn’t convince him that it was not legit. It was MLM-level brainwashing.
Many spammers don't see how what they are doing is wrong. They run a LinkedIn scraper to collect 100,000 business emails for people in their industry and they want to email them.
When you explain that they're spamming, they get offended. "No, this is not spam! These people are going to be interested in this product."
I cannot imagine the customer support burden in time and emotional energy that goes into explaining to people, day in and day out, that the thing they hung their hopes on is spamming and not permitted. It sounds exhausting and draining.
Having done community moderation in a past life, I know how tiring it is to try to offer real engagement and empathy for people who refuse to understand that they've acted in an unacceptable way. There are also the people who know they're abusive and expect to just talk they way through it until you allow them to continue. Combined, it's enough to convince someone to stop offering humanity and sympathy to those who have acted badly, knowingly or otherwise.
Excellent book in a journalistic style. Good present. You will (both) have your own views on Krebs' strategies to make complex issues accessible to 'civilians'.
I've worked on the email dev team of a mailchimp competitor and from what I've overheard, when a customer gets spam-flagged the first step is to help him avoid it in the future. A lot of small businesses using these tools might actually accidentally misuse them.
The real problem is that support and service notification on the internet are often really bad. The giants can afford to do whatever they want without drawbacks. The really small players on the other hand can disappear without notice. Just the other day one of our VPSs went down, the web panel was also down, we discovered on twitter, posted by another user that the hosting company was closing in 4 days. They haven't even send an email to the customers. The CEO had already removed the company from his linkedin profile!
Exactly! A dirty cheap service, but I guess that the low price was what made them close...
As an update to the first post, now the website works again.
I've also had friends who have had their MailChimp accounts deleted or locked without explanation, warning, or recourse, so I wouldn't rely on MC specifically for anything business-critical. That said, if you have business-critical data on any cloud provider, you should be exporting periodic backups of that data to another provider so you don't lose access to it all if a single provider shuts down your account.
If anyone from MailChimp is reading this: a postmortem from your side would be greatly appreciated too.
Currently, I assume the only thing such a postmortem would contain is "one of our anti-abuse system considered the account abusive, so our default process kicked in, some sort of escalation review process (automated or human) also flagged it as abusive, so no further escalation was allowed, and we don't really have a way to keep this from happening over and over again". (Which, to be fair, is probably true of any service that has to deal with abuse at scale.)
Anything better than that (e.g. providing notifications on takedowns, offering data take-out, or at least explaining why this isn't in place) is probably worth posting.
Thanks. I'm pretty sure it would not have happened without the HN community putting this on the front page. Many thanks to everyone who upvoted this story, you may well have saved my business.
I live in Atlanta where MailChimp is headquartered. Beyond their horrible customer service and stories I've heard from people who work there they are one of the worst tech community members in the city. There have been instances of managers from there Doxing people, trying to get code school students kicked out of their programs for respectfully expressing opinions in local community groups etc. that they disagree with.
We were evaluating using MailChimp for our email campaigns, but I am going to raise this with the boss.
Having ToS issues is one thing. Deleting/banning accounts without any notice is another.
Unacceptable.
Major shout out to Stripe. They believed we were in violation of their ToS, notified us immediately, and gave us 7 days to find an alternative including a competitor that would accept our business.
Once I contacted their support, I was able to confirm with them, that in fact, we were in compliance, and the crisis was averted. But had they just shut us off without warning, that would have been a disaster.
To add a data point to this, I created a MailChimp account a couple of years ago. I never used it as other projects became priority. Recently I decided I might give it a shot again. Tried to login. My account is deleted and my email banned. I'm not tied to any weird or shady business. Dodged a bullet I guess.
They did the same to me. I reached out to their support and they just recommended I create a new account. No idea how a business can do that and expect users to be ok with it. They lost me as a customer and I will no longer recommend them to any of my clients.
A similar thing happened to me while using their Mandrill system. After years of using it with no issues, all of a sudden no emails were getting out. They shut us down without notice and without recourse. We were sending simple support emails, and auto-emails (when you register, forgot your password, etc).
They banned me after migrating an email list over because they said I couldn't confirm how I got the emails. It was weird because the 80 emails were newsletter sign-ups from my website. After that happened I never went back.
Tech support issues on HN are like the tech equivalent of putting up medical bills in a newspaper.
The situation is so unfair and one is so powerless, that the best way to resolve it is to get dozens of other people involved.
This is probably tiring to oneself and all the other people who have to work up into outrage. There really ought to be a more systematic way to work resolve these things.
I deal with small business owners regularly. While this seems crazy, it's not even close to the worst we've seen. Entire businesses based on free email, entire businesses based on a social media following from one network, entire businesses based on an undocumented "black box" server that everyone is afraid to touch ... the list goes on.
I routinely think about by my business model and the repercussions of losing access to an online service. I backup incessantly as a result. BRB, going to backup my MailChimp lists.
> It will be your responsibility to keep it safe and you'd have to do it every fucking time if you want to update your data.
You might want to consider removing "fucking" from your front page. I'm really not one to bat an eye at any form of cursing but seeing it on a company's webpage like that doesn't sit well. You have a good idea, let the tech speak for itself, no profanity needed.
Agreed. Every time I want to "get casual" with a client or business associate and consider using profanity, I almost always step back and remove it from the email. In person it's a little easier, but I cringe when I think back to a meeting where I used a curse word - even if the client was using those same terms.
Because not everyone using a mailing list service is technically capable of doing this, or understands why it's even necessary? I never used MailChimp but if I did then I would assume that the mailing lists I built with their service would be 99.999% secure, and that I'd always be able to access it even if they went out of business. Reading this thread with many users claiming similar experiences is quite frankly shocking.
What drives the assumption that their mailing lists would always be available to you even if they went out of business or that they are almost perfectly secure? Is it due to standards set by large companies or just an idealized desire?
Because I assume they use Google/Amazon cloud services which are designed for 99.99999999% durability, just as I assume they often make backups (it's not like it would be expensive for them to backup mailing lists every hour or so).
If they went out of business then I would also assume they would give customers at least several months to export their mailing lists.
Edit: for some reason I'm not allowed to post new comments (presumably because of the downvotes to my other comments), so I'll just reply here: Would it be naive/fraudulent to promise the same durability as the storage service you're using? After all you're just feeding the data to their service through their API. I of course wouldn't promise this kind of up-time, but once the data is successfully saved then I fail to see why it would be wrong to make such claims. Assuming you also made regular backups of the data you feed to their services (which I certainly hope MailChimp do) then you can be even more confident that the data won't be lost. If Google/Amazon banned the accounts storing the mailing lists then I'm sure it could be recovered, especially by a company of MailChimps size.
I think it's okay to extend your durability promise to your clients, but durability isn't the same metric as availability as you've eluded to in your edit. I typically tell customers our product's durability is an extension of AWS's via a BAA. If I had to shut down a product and needed to provide the data for export, it would be simple to throw them in AWS s3 by client ID and let them sit there, but you're going to have to budget a big chunk of money for it. The only way you get a green light to have that budget is if you are contractually bound to do it. I believe a lot of companies (mine included) do have those contractual obligations in place already, but I honestly don't think what I have in mind to meet the contract, and the user's expectations are aligned. Is it the raw data they passed via API that I return or the enriched data we produced that I return? If it's the latter, we're going to need more money as that will be exponentially more information to store for export.
This is a reasonable assumption. 95% of companies have backups (just don't ask about restore!) and 90% of companies will take reasonable measures to give you your data if they are going out of business.
Those numbers are not the 99.999% you quoted and you really shouldn't think they are. If you promised your customers five nines reliability based on the one-two nines of your free suppliers, that's somewhere between disingenuous naivete and fraud.
What about when accounts are locked for users due to $reasons? What do those downtimes look like? I've heard enough horror stories to be wary of any one provider.
Thanks for answering! I think your perspective is becoming more common. It's not like MailChimp is a start-up, so these assumptions aren't inherently crazy.
At some point people started expecting unreasonable things from random free services on the internet. I still think it's ridiculous.
I hope that in the future, schools will also teach some basics of computer hygiene in IT classes, and how to behave on the internet.
Things like what internet services are, why backups are important, and how to practically do them, how to evaluate risks when communicating on the internet, how people are harmed on the internet (typical scams, phishing, running untrusted programs, ransomware,...), what privacy is on the internet, how to choose passwords, etc.
Yes, it's fair to say that the expectation presented by the FAANGs are polluting the general expectations of users. You have to live up to a higher standard which often requires you to leverage their cloud offerings. This higher expectation isn't necessarily a bad thing on its face as a better user experience often helps your business succeed.
It would be wonderful if we taught people how to navigate the digital age. It would be similar to a driving course or personal finance. I know I had none of the above when I went through school, so I won't hold my breath, but I would support an initiative to provide more practical skills in school.
> I never used MailChimp but if I did then I would assume that the mailing lists I built with their service would be 99.999% secure, and that I'd always be able to access it even if they went out of business.
You're saying you never used service X, yet you would absolutely trust service X and assume that even when service X is out-of-businness, you can access data related to you.
That's very surprising to read, I'm exactly the opposite - own your data, don't trust any service, they always can go away, at any random moment.
This makes me wonder, what is more popular? Absolute trust or -ENOTRUST?
Yes, because their entire business model is built around email marketing, and despite not using MailChimp then they're as far as I know the biggest player. Give me a couple of hours and then I can guarantee 99.999999% durability for almost no cost through Google/Amazon services. I would be very sad if MailChimp can't gaurantee the same.
Edit since I can't reply: We're talking about durability of their mailing lists, not uptime. At least that's my intention. That Google/Amazon or MailChimp might experience downtime doesn't have any impact on the durability promises. I would also expect MailChimp (rather than all their customers) to do regular backups.
I had enough faith in MC's ability to keep their own backups that accidental data loss was a risk I was willing to accept. It never occurred to me that they would intentionally do something so counterproductive as shut off my account with no warning and no possibility of recovery (or so they said -- see https://news.ycombinator.com/item?id=18717279).
If you're looking for alternatives, I can't recommend MailWizz + Amazon SES enough. You can host it on a $5 VPS and you pay just what you consume from Amazon.
Some years ago MailChimp decided to act as a cash cow, invest very little if anything (except a recent redesign).
Mandrill still isn't integrated after they combined the two services some years ago.
(PS: We've been a customer for many years but migrated away lately)
Reminds me of when MailChimp quadrupled Mandrill prices, with almost no notice. Severe disruption to our company; I had to pull engineers off key projects to migrate out email system.
I'm not sure why people keep trusting them given their track record.
That incident still gets me angry. Migrating wasn't a horrible experience but they way they went about it demonstrated they couldn't be trusted with anything remotely mission-critical.
It seems like any MailChimp mailing list emails containing the word "crypto" set off automated systems which result in account bans.
This is an extremely poor anti-spam "hueristic" (if it even deserves to be called that) and I would never do business with a company that handles anti-spam like this.
240 Comment and not a single one defending Mailchimp.
Over the years, there are many articles on HN about Mails. And the general ( or even golden rule ) was not to setup your own server, it is too much hassle, waste of time. And just use something like MailChimp instead.
I think there might be a few mention for Mailgun, but most of the time it was MailChimp for recommendation.
And over the years NOT A SINGLE report or comment of their bad experience. It was all singing and praise.
Now something happened, and all of a sudden you get a huge flux of people mentioning it was similar to their own experience as well.
And this isn't the first time I see something like this. It wasn't until the ZOHO incident did people start telling their horror story about Namecheap and Godaddy.
Is there a psychological term for this? You knew it was bad, but you didn't tell your story then.
I can certainly sympathize with this. Over the past 20 years I've gotten bit several times by 3rd party email services shutting down with little or no notice and even had access to my email services sold to spammers by the providers I was paying for it.
The last time it happened I'd created a "Mandrill" account while developing an app and just a few weeks before releasing it I got a notice saying "Mandrill has been acquired by MailChimp" and I would need to create a new account with MailChimp.
That was last straw for me using 3rd Party email services. I spent the next several weeks setting up a "MAIB" (Mail-in-a-Box) server on a DigitalOcean VPS.
Setting up that server on DigitalOcean had it's own hurdles I didn't see coming, one of which was my MAIB server IP was black listed before I even sent an email because it was running on the DO platform. I contacted DOs support and all they could offer was "We recommend you don't use DO for email servers". Apparently spammers find it appealing to do this too so some email services, like AOL, Hotmail, etc block everything coming from DO and require you request to be whitelisted.
Because of that it ended up taking a few more months to reveal and deal with all the issues that popped up and that was painful too. It ended up being worth the effort though.
It's been working great for over 2 years now and there are some additional benefits I'd not expected when I first started working on it. One of the biggest is MAIB has a built-in DNS server too. I didn't use it at first but after playing with it a bit I ended up moving all my sites over to it and configuring my desktop Mac to use it first.
Given the chance the only thing I'd do different is to set up my own email server before I ran into this kind of "Mailchimp" problem again (because my experience is it will) so I could work through those issues first and transition to it from a 3rd party service at my leisure.
It's not an easy slog, but MAIB made it a hellava lot easier.
I run my personal mailserver on a DigitalOcean VPS, but I wouldn't recommend it. I've never had blacklisting issues and email works fine over IPv4, but outbound connections on all mail ports (25, 109, 110, 143, 465, 587, 995; not 993, oddly) are silently dropped over IPv6. They assign each host a IPv6 /124, instead of a /64 or better like other providers, so they block outbound SMTP for spam prevention. The other blocked ports aren't documented and I've had a support ticket open since November about getting them unblocked that looks like it won't be resolved anytime soon.
DO has been great for everything else I hosted there, but they're a bad choice for a mailserver.
I can't say I'd recommend DO for an email server either. I wasn't blacklisted per se, I was blocked before I even sent any email and needed to be whitelisted.
I won't say DO is a bad choice for a mailserver, nor a good one. I just did a quick search to see if that's changed in the past few years and came across "Helm", but that's not really a "good" option either.
The real problem is there is no "good" choice for a dedicated mailserver or service provider.
“Service Xyz suddenly canceled my account and banned me for no reason and I no longer have access to critical data!”
How many times does this story have to be posted for us as a user community to get some sense and stop relying on unaccountable cloud services to host critical data or perform critical tasks? It seems like a similar story gets posted every week. Back up your data, people, and whenever possible, self-host.
For every online account you have, ask yourself: what is the consequence of me permanently losing this account and all data associated with it? If the answer is “catastrophic loss” then FFS do something about it!
MailChimp removed half my users from a mailing list that I hadn't sent out recently claiming lots of unverified sign-ups and spam complaints. The sign-ups where all through MailChimp, so I don't know why then didn't like them. Actually I suspect MailChimp may have sent out on the list without my permission for an extra GPDR handshake and triggered a list of spam complaints.
Hey, I'm building a tool that does exactly this. It automatically backs up your email subs and stores them in google sheets. It's still in dev, but feel free to subscribe https://stompapp.xyz/
Coming from being a former MailChimp tech support agent (regular tech support, not compliance support), I can say that while I was in tech support, all account data is accessible on the company’s backend and for closed accounts, their data is available for 3 months after the close date. Open accounts aren’t pushed to dormant status until 2 years after no send and no login activity. Pretty happy that I’m no longer there; MailChimp was fine but they don’t pay their support agents enough for the kinds of stress and bad management they have to go through.
I see why people like using something like MailChimp - but I would personally never do (nor advocate) doing so. Your mailing list(s) / subscribers are very valuable. Not controlling these entities and relying on MailChimp to handle them well is... well, quite a bet I would not want to take. Stories like the one referenced are quite common and even though these are outliers I would not like playing with these odds.
after seeing this thread, I checked my idle but (paying for it for years) mailchimp account which had some possibly value hundred or two hundred emails, and it too seems to have been disabled this year... and I definitely have invoices from mailchimp as recently as March 2018 .... :(
shitty way to handle a pure profit easy paying customer
What’s missing in the context here really is whether he was a commercial customer or not. If this was a commercial account, then this truly is shameful. If it was a free account, then it’s just another story of unjustified internet-age entitlement.
Create back-up copies of any list, data, etc. that matters to you. I backed up my Mailchimp list a couple months ago with exactly this scenario in mind. It's a minor chore to do so. But it sure beats having years of data vanish.
I had an issue with SendGrid where they deleted my client's account. The account had been created by a person in South America (at one of their offices) but with a Canadian corporate credit card. I guess they assumed it was fraudulent and suspended the account without contacting us 2 days after we had subscribed and already put the account into production. They had zero phone support available, and the online support was inaccessible without an account (even to dispute an account suspension, very 'Catch-22.') I had to call their headquarters and leave voicemails on random mailboxes just to reach somebody with the ability to review the account suspension.
We were on a paid tier. In 2012 we decided to try sending our own email via arpReach + SES. Once we set this up we asked MailChimp how to pause our paid account. We wanted to stop sending email and return to a free account until we needed MailChimp again.
Their response was that there was no way to do that... I recall it being something like "we do not like" or "do not allow" customers to return to free accounts. You could either keep paying, or delete your account and everything in it.
We'd already moved our MailChimp-collected emails over to arpReach (on our own server). At that point, I just opted to delete our MailChimp account.
Everything was fine while we used them. But that strange incident left a really bad taste in my mouth; it was one I never forgot.
Yeah, MailChimp support is absolutely terrible. And it literally looks like they don't care about it at this point. I stopped using them a few months back and moved to SendX. The experience with their support team has been phenomenal.
I'm sick and tired of this kind of reasoning. Sure, you can use something else, but that's not the point. The point is that a company cannot just delete your fucking account without even bother to notify you, especially when we're talking about B2B services. The guy was bleeding leads without even knowing because MailChimp decided that it was too much of a trouble to properly inform their client. Fuck that shit. Just because we're engineers doesn't mean we don't expect a certain amount of proper support like every other non tech savvy person out there. The mantra that everything can be solved with algorithms is having really shitty implications when it comes to operating a business.
Why offer free accounts if you don't want to support them? If google decided to close gmail or youtube without any prior notice, I'm pretty sure a lot of people would be pissed of, and rightly so.
Hacker News is where you go, when customer support does not respond, or (in this cased) responds so poorly you feel the need to tell the "tech world". Besides Twitter, I'd say the best way to shame a tech company would be Hacker News, given how many employees of said tech company and other influential people frequent this forum.
> I really don't like to resort to public shaming, but this really is unacceptable.
Public shaming works quite well on HN; I remember quite a few cases when the problem was solved very quickly by hitting the front page.
However, in this case I'd give MailChimp more time. It seems the author contacted them today. Maybe there is a reasonable explanation and they will provide it tomorrow?
There could also be some selection bias here. I always wonder how many other attempts at public shaming never make it anywhere.
I've been locked out of my Amazon and AWS account for more than two weeks despite numerous phone calls to Amazon support and desperate pleading on social media. "We are still looking into this matter for you." I could post some nasty blog post but I have really little faith it would get me anywhere.
I can't speak for using AWS, but Amazon customer support in general is awful. Recently, my girlfriend was unable to get into her account. When she would try, it would say she had the wrong password. When she would try to reset the password, it would say the account didn't exist. When she gave up and just tried to recreate the account it wouldn't let her because it said the account already existed. During this process, she also accidentally created and gained access to an account using an email address that belongs to someone else with the same name.
She called Amazon support. The first person she talked to just told her to do all the things she had already done. She humored them by repeating the steps. She told the support person it wasn't working. The support person said she couldn't be helped because she wouldn't do the steps. My girlfriend asked to speak to someone else who could help her and the support person hung up on her. She called back and had to talk to two other people before she finally got someone who would help her. (Once she did, it was a process of about 30 seconds to resolve the problem!)
She received some gift cards from a couple of her clients and when she clicked the link, it credited them to the wrong account (the one with the wrong email). She had to call support again and although their solution was ultimately quick and simple it took another 30 minutes of nonsense on the phone to get there.
My experience is similar since its with Amazon support and separate from AWS. My account, encompassing everything covered my Amazon credentials, was put on hold for "address verification" two weeks ago and handed to the "Accounts Team". This means, no buying anything on Amazon for the holidays and zero access to my AWS account, Lambdas, S3 buckets, etc. Just a mind-numbing cycle of phone trees and "we are looking into this".
I cannot even sign into my Washington Post subscription. Thanks, Bezos!
It's been two days since this was written. Presumably the nuclear option of posting it to HN was deferred to give Mailchimp the opportunity to fix things.
Edit: Also, considering the author's fame, I expect public shaming on HN will work quite nicely.
Indeed. I have found that the best way to get a company to respond to a complaint in a reasonable manner is to post your complaint on their facebook or twitter profile. Its a shame that it needs to be like this.
I bet it sucks that the user didn't get a warning or notification...
...but as normal user of email, I appreciate a heavy hand when it comes to email lists which mailchimp deems malicious or bad for its ecosystem. It's no secret that mailchimp maintains a high standard for the quality of lists and email it delivers. The common thread in these stories seems to be malicious actors, poor/spammy content, etc. So I'm not sure it's so bad?
Has anyone with a "typical" (e-commerce shop, saas newsletter, etc) mailchimp list been shutdown without notice?
I am appalled reading this!! How can someone keep your data hostage like this?
Especially (in this case) for no apparent mistake of yours! Really sad that a company like MailChimp who knows (or should know) what an Email list really means to a business would respond in such an irresponsible manner and deprive you of your own data.
I run an email marketing company called - SendX https://www.sendx.io and would be happy to help you in whatever way possible to get you up and running with Email Marketing again. Feel free to hit me up at mayank@sendx.io . Would personally ensure that our team helps you out with this asap.
You really need to give the service a reasonable amount of time to respond to any ticket.
Agree an account, paid or free, should not be deleted without notification but you need to be reasonable and give people time to resolve issues. Sometimes you can be pleasantly surprised.
Last week I had one of the best support experiences I've ever had with spotify through twitter DMs.
100% my own fault where I had signed up twice by accident by missing the "." in my email address and hadn't noticed I was being billed twice/month for 10 months.
A few questions over and back getting to the bottom of the issue and it was resolved within an hour and my €100 refunded in 3 days.
Maybe I'm just feeling reasonable after my experience with spotify, if it was my account deleted maybe I'd feel different or maybe its just the season of goodwill :-)
Hmmm... This poster has noticed an issue on 17th, mailed support and without waiting to see if there's any reply or resolution, decided to blog publicly about it the same day... seems definitely premature, maybe borderline of questionable professionalism.
It appears MailChimp has a chat option for support on weekdays for paid users but since this hasn't been used, one would assume the poster is using a free plan - not exactly exemplary practice for handling anything "mission-critial".
OP here. I waited several hours between contacting MC and posting the blog entry. This was (and still is) a time-sensitive mission-critical issue. I have customers I cannot contact about a potential security flaw in my product. Happily, I need to contact them to tell them that my product is NOT affected, but it could easily have been otherwise, and in the future it might be otherwise. This is an existential threat to my customers and my business. Damn right I'm not going to wait around.
FWIW, MC did respond, saying essentially that there is nothing they are willing to do, and that I need to create a new account. I have written them back asking if I will be able to access my old mailing list from my new account (obviously the answer to that is going to be "no" but I want to get it on the record). They have not responded.
it almost sounds like they don't want your customers to know your product is not affected. hypothetically speaking, could one of your clients make a possibly bad hasty security move by being under the immpression your product is vulnerable?
I would give you very long odds that no one at MC had a clue who I was before this story showed up on the front page of HN. My mailing list is very small (it's a very niche product) and I hardly use the MC account (which was the problem to begin with). I'm sure I just got caught in their process. I'm equally sure that their process was designed to thwart abuse, which is surely a major problem for them. (In fact, it surely the major problem for them!) But it just seems to me that they just didn't think it through. This whole unfortunate situation could have been avoided with a single automated email drawing my attention to the fact that my account was about to be closed for inactivity.
It's unprofessional to write a blog post about your account getting deleted without notice? Mailchimp is a business, and the relationship between a person and a business is not friendship. When they shut down an account without notice blogging about it (in a non-accusatory manner no less) is completely reasonable. This isn't a smear job.
Talking in public about the manner in which businesses conduct themselves is a good thing. It benefits businesses with good customer service and hurts those with bad service. More transparency is good for consumers and for businesses alike.
Are you in any way affiliated directly or indirectly with MailChimp ? Reason for my concern is that this is not a exemplary practice to do victim bashing either. Even if OP is "free" customer , He has some right to complaint. Companies usually don't provide "free" tier by goodness of there heart and have legitimate business plan to do so.
There are a couple of lessons to be learned from this:
* Make sure to have a plan B for all service providers that you use for critical services.
* Make sure you have a secondary copy of critical data, and that you store it responsibly in case a provider does something.
That still doesn't excuse not informing the account holder, but given the short time that has passed, it is possible that task has ended up in someone's backlog.
If it ended up in someone's backlog, then MailChimp still screwed up because the "suspend account" button should automatically send a notification (even if it only said that more information will follow).
I'd also add one item to your list: Proper monitoring (which is extremely difficult and time-consuming to set up). A plan B is useful if you know that you need to enact it. Here, the third party provider had silently caused an outage, possibly because they consider shadow bans more effective without considering that the same thing that makes them effective makes them extremely damaging when they're handed out incorrectly.
Nope, no connections whatsoever. In fact I work at a place a few orders of magnitude bigger than what MailChimps of the world would handle...
Shit happens from time to time in business and the normal approach is you connect and discuss by whatever SLAs you align to. You don't scream publicly sullying reputations unless you've given resolution a reasonable shot. Waiting less than 1 business day doesn't seem like giving resolution a reasonable shot. If it were my business, I'd fire this poster as a client.
This the kind of apologetics I can't stand. These things happen because businesses knowingly take actions that negatively affect a small percentage of their user base, but they just don't care if the percentage is small enough.
Software businesses enjoy extremely high gross margins, which means they can afford first-rate customer service. "Bad things happen" isn't an excuse.
But here's the deal, and this might be directly aimed at you, since you say you're in the field. As a home-user who works in the industry and with some interest for tech, I generally only get access to the free-tiers of services offered by players working at world-magnitude. Based on my experience with those services I may or may not advertise them to my friends, colleagues, employers. Especially to employers, because there's a good chance that if there's bad-blood between me and the service provider personally, I might be impaired in my professional activity.
This word-of-mouth type of adversiting is crucial to "2.0" companies, that function based on things such as scale, transparency, growth, reach, efficiency. There's also the different type of provider, the "old business" world, with more business-y and less tech-y practices, such as "call us for a quote" deals, "license per year per seat pe server core", etc. Dealing with them often times involves whole departments (legal + technical) with specific training and paid-for support channels.
If you release and roll perpetuum-beta services and software ("2.0" practice), build your brand on word-of-mouth advertising, on try-for-free honeypots for hobbyists (also "2.0"), don't act "old business" if it comes down to support for a puny user and don't push the "well, it was free, what would you expect?" button. The whole deal of your "we are awesome and scale as opposed to <brand that existed for more than 20 years and sucks just because of that>" is the fact that your machinery doesn't do politics and doesn't discriminate between your users based on estimated pocket girth. It's useless if your solution elegantly "scales" to billions of users, if your business can't secure and treat with dignity the first, lonely user.
Assuming the author is truthful, then I'd say Mailchimps actions are a lot more questionable. Shutting the account down without a warning? Making it impossible for him to see his mailing list even if the ban was deserved? I don't know about you but I'd never want to use a mailing service if I knew that I at any time could lose access to the mailing list I had spent months/years building up..
Couldn't agree more. Any business who respects the customer would know that this type of stuff is totally unacceptable, and the list is a huge money maker for anyone. I got really pissed with MailChimp and their support for exactly these reasons and decided to move to SendX. That's it, haven't looked back ever since and I don't think I ever will unless something major goes wrong.
> seems definitely premature, maybe borderline of questionable professionalism
So basically, if that person was a plumber, and a bath they installed worked perfectly, you'd now think maybe that was a fluke, because their professionality is "borderline questionable" (is that like borderline borderline, or questionably questionable?)
Yet you say you "don't scream publicly sullying reputations" -- so they're not professional, and now they're "screaming", both of which are things you are creating, while they're stating the cold facts, and they just don't happen to be flattering.
That you can be "professional" without being good, at all, just shows how meaningless that word is.
Only after a hint about possible public shaming, someone sent me data dump with all the emails and names. So they lied in the first response (all data is wiped and unrecoverable) and only responded to a threat.
Since then I am using Mautic and own SMTP server.