Suspected Account Compromise

read
Last updated at:

What is an account compromise?

An account compromise occurs when an unauthorized actor gains access to your user account. This could allow the attacker to view, steal, or alter sensitive information and possibly misuse your account for malicious purposes, such as sending phishing emails or exporting customer data.

How can you tell if your account has been victim to an account compromise?

Signs your Klaviyo account may have been compromised include:

  • Receiving password reset emails you didn’t request, or “login alert” emails that don’t seem right, such as New Device or Unrecognized Location emails.
  • Noticing unfamiliar changes to your account settings or email templates.
  • Seeing campaign, flow, list, segment, or profile activity you didn’t initiate.
  • API calls from an unrecognized source or performing actions you don’t expect.
  • Being unable to log in with your existing password (if it was changed by someone else).

What do you do if you suspect your Klaviyo account has been compromised?

  • Immediately reset your password using a strong, unique passphrase.
    • Note: This will automatically end all sessions on your account, meaning anyone with access will be removed.
  • Enable or review Multi-Factor Authentication (MFA) on your account (if available).
  • Revoke suspicious or unfamiliar API keys from your account settings.
  • Check recent activity (flows, campaigns, exports) for anything unauthorized.
  • Report the incident to Klaviyo support at abuse@klaviyo.com and your internal IT/security team.

How to prevent account compromise

  • Use strong, unique passwords or passphrases for your Klaviyo account - never reuse passwords across sites.
    • Consider using a password manager, many of these are free or inexpensive options that can help you protect your data with minimal friction.
  • Enable strong Multi-Factor Authentication (MFA) to add an extra layer of security.
  • Review and manage your account’s users and permissions regularly; remove old or unused users.
    • Ensure you’re never sharing login credentials between multiple people - you can have as many people as you want on your Klaviyo account for free. Shared user accounts make it impossible for you to tell who took an action in your account, and also makes it harder for Klaviyo to detect if someone is accessing your account who shouldn’t.
  • Review and manage your account’s API keys and scopes regularly; rotate or delate old or unused keys, and ensure they are not posted in plain text anywhere.
  • Be wary of phishing attempts; never enter your Klaviyo credentials after clicking a suspicious link.
  • Monitor your account activity for any unusual logins, or actions.
  • Educate your team about security best practices and common social engineering tactics.
x
Was this article helpful?
0 out of 0 found this helpful