How do I find the owner of a Mailchimp API key?

tl;dr Use TruffleHog to automate API key ownership detection (trufflehog analyze mailchimp). For a manual approach, query Mailchimp’s root API endpoint.

Identifying the Owner of a Mailchimp API Key

Mailchimp API keys provide access to account settings, email campaigns, and subscriber data. If an API key is exposed, identifying the owner is critical to prevent unauthorized access.

The best way to determine ownership is by using TruffleHog for automation, but you can also manually query Mailchimp’s API.

Option 1: Automating Ownership Detection with TruffleHog

Manually verifying API keys doesn’t scale. TruffleHog automates ownership identification and even checks key permissions.

Run the following command:

trufflehog analyze mailchimp

You'll be prompted to enter the API key securely.

How It Works:

1. TruffleHog automatically determines the appropriate Mailchimp API subdomain to query.

2. It authenticates with the provided Mailchimp API key.

3. It queries the root API endpoint to retrieve account details.

4. It outputs metadata such as the account owner's name, email, last login date, account name, and more.

Why Use TruffleHog?

✅ Saves time – No need to manually configure API headers or parse responses.
✅ Scales easily – Ideal for security teams scanning repositories or logs.
✅ Immediate context – Quickly determine key ownership for faster incident response.
✅ Permissions analysis – Identifies what access the API key grants.

Option 2: Using the Mailchimp API to Identify Key Ownership

If you prefer a manual approach, Mailchimp provides an API endpoint that returns the relevant details.

Steps to Identify the Key Owner:

1. Identify the API key’s datacenter by removing all characters up to (and including) the -. 

For example, a Mailchimp API key has the format: abcdef123456-us7. The value us7 is the datacenter value and indicates what subdomain we’ll call for the API.

2. Make a GET request to Mailchimp’s root API endpoint, authenticating with the API key in the Authorization header. Note: You must insert the relevant datacenter value from step 1 into the Mailchimp subdomain.

Macurl -H "Authorization: Bearer <MAILCHIMP_API_KEY>" \

https://us<datacenter>.api.mailchimp.com/3.0

3. Review the JSON response, which includes the key owner's details:

{
  "account_name": "John's Marketing",
  “email” : “john.doe@johndoesmarketing.com”,
  “first_name”: “John”,
  “last_name” : “Doe”,
  “last_login” : “Jan 1, 2024”
}

4. Key Fields to Look For:

• account_name – Identifies the Mailchimp account associated with the API key.

• email- The user’s email address

• first_name + last_name - The user’s actual name

• last_login - The last time that the user logged in.

Why This Matters

Leaked Mailchimp API keys pose a moderate organizational risk, potentially exposing email lists, marketing campaigns, and subscriber data. Additionally, depending on the level of access, a threat actor could send legitimate emails on behalf of your company.

Security teams should: 

✔️ Immediately revoke exposed keys in the Mailchimp dashboard.
✔️ Notify the key owner and audit for unauthorized usage.
✔️ Rotate credentials and enforce scoped API permissions where possible.

TruffleHog makes finding and investigating leaked Mailchimp API keys fast and scalable.

For more on secret detection automation, visit the TruffleHog GitHub repository.