Dive Brief:
- DigitalOcean migrated to a new email services provider after its account with Mailchimp was compromised by what it suspects is a larger security incident aimed at Mailchimp’s crypto and blockchain customers, the company said in a blog post released Monday. Mailchimp disclosed to DigitalOcean that an attacker had compromised its internal tooling.
- A number of DigitalOcean emails were exposed by the incident and unauthorized actors attempted to compromise a small number of DigitalOcean customers by resetting their passwords, the company said.
- DigitalOcean said it found a single attacker had initiated resets against a limited number of its accounts and successfully changed the passwords. However, the attacker was still unable to access the accounts due to two-factor authentication.
Dive Insight:
On the afternoon of Aug. 8, transactional emails sent through Mailchimp stopped reaching DigitalOcean customers, according to the DigitalOcean post. The Mailchimp account had been suspended and a notice went out to DigitalOcean saying the suspension was related to a temporary terms of service violation.
A DigitalOcean customer claimed their account password was reset on Aug. 8 without their initiation, so it launched an internal investigation. The company found a non-DigitalOcean email address on a regular Aug. 7 email from Mailchimp.
Mailchimp, in an Aug. 12 security announcement, said malicious actors have been targeting the crypto industry in order to access data through phishing and social engineering attacks.
Mailchimp temporarily suspended access to accounts where it detected suspicious activity.
A number of crypto industry executives accused Mailchimp of suspending their accounts with no advanced warning, and said the company has been slow to respond to repeated queries about the suspensions.
Security researchers say the attempted compromise speaks to a larger set of concerns about the security of supply chains and how companies can lose the trust of customers when they fail to properly monitor their systems and communicate issues downstream.
Researchers are also raising questions about whether Mailchimp deployed the proper tools that could have prevented such an attack.
Matt Chiodi, chief trust officer at startup security firm Cerby, said the breach highlights the failure of organizations that don’t employ common security standards like single sign-on (SSO).
Noting the details of the Mailchimp compromise haven’t been made public, Chiodi told Cybersecurity Dive, “I can almost guarantee the vector is some combination of a Mailchimp employee being phished and a lack of SSO, combined with no multifactor authentication.”
The Mailchimp attack comes amid a larger wave of attacks targeting the email marketing industry, which open up access to large amounts of customers.
Over the past year, companies ranging from Klaviyo to HubSpot and Constant Contact have been the targets of malicious attacks, with the actors using phishing or social engineering to access employee credentials, Alla Valente, senior analyst at Forrester, said via email.
“While the breaches may have originated with the email marketing providers, it's every organization’s responsibility to vet and assess the third-party risks of using these tools,” Valente said.
These technologies don’t get the same level of scrutiny as financial technologies or IT services, but they have access to a large amount of company data.
DigitalOcean admitted to customers that its threat models and security visibility needs to improve in third-party SaaS and PaaS environments. The company also said it plans to lean in with customers on two-factor authentication and is evaluating two-factor authentication by default.
Editor’s note: This article has been updated to correct the spelling of Klaviyo.
