Lack of MFA May Have Caused Sendgrid Account Compromise

Fraud Management & Cybercrime , Incident & Breach Response , Security Operations

Email Service Provider Moving to Implement Additional Security Measures

Lack of MFA May Have Caused Sendgrid Account Compromise

Security professionals are expressing surprise that email service provider Sendgrid did not have multifactor authentication in place to protect its customer accounts, resulting in a large, but unknown, number being compromised with the data being sold on the darknet.

See Also: Ransomware Recovery in the ‘New Normal’

“It’s actually quite shocking that an organization that works with business customers for marketing purposes didn’t already have multi-factor authentication in place for users, and implementing it as a requirement is a critical first step that should happen urgently,” says Torsten George, cybersecurity evangelist with security firm Centrify.

Sendgrid’s parent firm, Twilio, tells security blogger Brian Krebs, that the company is in the process to require multifactor authentication with all its accounts. Currently, these hacked accounts are being used in phishing and email-based malware attacks, Krebs reports.

“It’s positive to see that parent company Twilio is already working on this,” George says. “The Sendgrid hack is a reminder of the importance of identity management for all businesses.”

Twilio’s creates APIs which are used by businesses to help them communicate with their customers through Twilio’s platform using email, text and video, essentially make the company a middle man in the communications process.

The company has not publicly released any information on the number of accounts involved or how they were compromised. Twilio does list Lyft, Airbnb and Netflix among its customers, and MediaPost reports the company signed a contract with 28 cities, states and universities to handle contract tracing for their COVID-19 programs covering about 150 million people.

A company spokesperson could not be immediately reached for additional comment.

Reusing Old Credentials

James McQuiggan, security awareness advocate at KnowBe4, notes it’s important for businesses and consumers to change their password if they believe it was compromised, adding previously stolen credentials may have been used to gain access to the Twilio accounts.

“The account compromises may have occurred from previous exploits and attacks against breached organizations who also happen to use Sendgrid. Considering the users are logging in with their business email, the cybercriminals have collected millions of email and password accounts from other cyberattacks,” McQuiggan says.

Fraudsters and cybercriminals take for granted that login credentials are reused and can use those to which they have access to conduct a brute force attack on Sendgrid’s accounts, he says.

“Without MFA, the user account will never know someone is trying to log into Sendgrid with their account,” McQuiggan notes.

George agrees that the only way to ensure security is to reset passwords immediately.

“In the meantime, Sendgrid customers should immediately change their passwords, ensuring they are unique and complex,” George says. “They should also make sure any other accounts that used the same Sendgrid password are updated as well. This is because cybercriminals will use stolen passwords in credential stuffing attacks, which use breached details to break into other accounts using the same login information.”