Cloud giant DigitalOcean says that some customers’ email addresses were exposed because of a recent “security incident” at email marketing company Mailchimp.
In a scant blog post dated August 12, just two days after the company’s co-founder and long-time CEO Ben Chestnut stepped down, Mailchimp said a recent but undated attack saw threat actors targeting data and information from “crypto-related companies” using phishing and social engineering tactics. Mailchimp hasn’t yet shared any further details about the incident — or responded to TechCrunch’s questions — just months after hackers compromised an internal Mailchimp tool to access information on 300 accounts.
While Mailchimp is keeping quiet, DigitalOcean is not, after confirming it also fell victim to the attack.
In a blog post, DigitalOcean’s head of security Tyler Healy said the company discovered its Mailchimp account was compromised on August 8 after finding its emails, like account confirmations and password resets delivered via Mailchimp, stopped reaching its customers. Its investigation found that DigitalOcean’s Mailchimp account was suspended without warning or explanation. An automated email from Mailchimp said the account had been temporarily disabled due to a “terms of service” violation. Mailchimp sent the same message to others working in the crypto industry, fueling speculation that the company had dropped crypto content creators from its service.
At the same time, Healy says DigitalOcean’s security team was made aware by one of its customers who claimed their password was reset without their consent.
DigitalOcean says it took two days for the company to receive a response from Mailchimp, confirming on August 10 that DigitalOcean’s account was compromised and that Mailchimp suspended the account as a result. DigitalOcean said it understands that an attacker “compromised Mailchimp internal tooling.”
Healy said a “very small number” of DigitalOcean customers experienced an attempted compromise of their accounts through password resets. TechCrunch asked DigitalOcean how many users were affected but has yet to receive a response.
In its short explanation of the incident, Mailchimp says it took “proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further,” adding: “We took this action to protect our users’ data, and then acted quickly to notify all primary contacts of impacted accounts and implement an additional set of enhanced security measures.”
In an email sent to one affected customer that TechCrunch has seen, Mailchimp said it became aware of “potential unauthorized activity” in the users’ account and advises “letting your contacts know they should be extra vigilant about any phishing attacks that appear to come from your company or company’s account.”
Mailchimp said it has notified affected customers directly. DigitalOcean said it has migrated its email service away from MailChimp.
DigitalOcean noted that the use of two-factor authentication saved a handful of customers targeted by the attacker from complete account compromise and, as such, the company is planning to implement two-factor security by default for all DigitalOcean accounts.
“The ecosystem is fragile, and chains of trust, when broken, can have significant downstream consequences,” said Healy.
News of Mailchimp’s breach lands not long after encrypted messaging app Signal said it was affected by the recent breach of Twilio. a provider of SMS and voice communications. Signal said attackers accessed phone numbers and SMS verification codes for 1,900 users.