Cloud infrastructure company DigitalOcean disclosed that a Mailchimp security breach exposed its customer email addresses.
The marketing automation platform unexpectedly disabled DigitalOcean’s Mailchimp account preventing email confirmations, password resets, alerts, and transaction emails from reaching its customers.
Similarly, a customer complained on the same day that their email password was reset without their consent. However, DigitalOcean received an email from Mailchimp saying its account was disabled for violating terms of service.
DigitalOcean connected the two events and launched an investigation that discovered a suspicious email address was added to its Mailchimp account profile.
The email address appeared on an email from Mailchimp on August 7 but was absent from the same email sent on August 6. DigitalOcean escalated the issue on August 8 using various channels and only received a response on August 10.
“We were formally notified on August 10th by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling,” explained DigitalOcean
Subsequently, DigitalOcean notified users whose customer email addresses were exposed in the Mailchimp security breach. A small number of DigitalOcean customers received unauthorized password reset requests but many were unsuccessful.
According to DigitalOcean, the attacker changed one user’s password but could not complete a “second-factor authentication” nor did they attempt to bypass the feature. DigitalOcean did not provide the number of customer email addresses targeted.
“Two-factor authentication saved a handful of customers targeted by the attacker from complete account compromise. We will lean in with our customers to expand 2FA adoption,” DigitalOcean said.
DigitalOcean secured customers’ email addresses targeted in the Mailchimp security incident and migrated its email services away from Mailchimp.
Email system breaches can lead to significant downstream consequences
Addressing the security breach, the cloud infrastructure company warned of “significant downstream consequences” when “chains of trust” are broken.
“Attacks against email systems are one of the most impactful security events a company can face,” Michael Oglesby, EVP, Security Services & Innovation at Cerberus Sentinel.
“Companies should ensure they have robust email security controls in place and regularly review the security of their email providers.”
Many customer email addresses targeted were used by organizations to manage critical services. Thus, a complete takeover could lead to the compromise of many downstream customers.
“This is another example of a situation where a security incident at one point in the supply chain has caused significant issues for their customers,” said Erich Kron, security awareness advocate at KnowBe4. “Unfortunately, the Mailchimp incident may have potentially led to downstream breaches of DigitalOcean customers by generating password reset requests, through no fault of their own.”
Kron says attackers could exploit compromised customer email addresses to send phishing emails from trusted accounts. Customers would subsequently blame DigitalOcean without attributing Mailchimp as the source of the breach.
“While useful, these sorts of vendor partnerships can unfairly taint an otherwise trustworthy brand, highlighting the importance of choosing vendors wisely.”
Mailchimp security breach targeted crypto and blockchain users
Mailchimp said the security breach originated from phishing and social engineering attacks targeting crypto and blockchain users. At least 214 customers’ accounts were compromised, according to the company.
The email marketing provider disabled the compromised customer accounts and commenced an investigation.
However, the pattern of events suggests that the attack was from the same threat actor who compromises Mailchimp’s internal tools. In March 2022, a similar incident compromised 300 accounts.
The security breach coincided with “Mailchimp’s de-platforming” of companies involved in cryptocurrencies without notice. The company confirmed on Twitter that “production, sale, exchange, storage, or marketing of cryptocurrencies” was not allowed. On its website, Mailchimp says “it may not allow businesses” offering services with “higher-than-average abuse complaints.” Such services include “cryptocurrencies, virtual currencies, and any digital assets related to an Initial Coin Offering.”
Digital Ocean provides infrastructure for crypto activity and was likely to suffer from Mailchimp’s crypto crackdown. Coincidentally, Mailchimp’s reason for the suspension was “terms of service violation.”