Mailchimp lost another customer after a recent breach. Earlier this week, cloud computing vendor DigitalOcean shared the details of the incident, saying it exposed the email addresses of its customers and that unauthorized password resets were even attempted.
DigitalOcean revealed that it first noticed the problem on August 8, when its customers stopped receiving transactional emails from the company, only to discover that its account had been suspended by Mailchimp. Later, the cloud infrastructure provider received an email from Mailchimp claiming it temporarily disabled the company’s account “due to terms of service violation.” After this, DigitalOcean received reports that a password reset had happened without the customer’s knowledge.
“Recognizing a likely connection between our sudden loss of transactional email, and potentially malicious password resets, which are delivered via email, a security incident and investigation was launched in parallel with the teams addressing our email outage,” said Tyler Healy, VP Security at DigitalOcean. “One of the first discoveries was a non-DigitalOcean email address that appeared on a regular email from Mailchimp on August 7th. The [@]arxxwalls.com email was not there on a similar Mailchimp email on August 6th. This led us to strongly believe our Mailchimp account was compromised.”
Mailchimp didn’t release any comment directed at this issue, but it clarified why it suspended accounts without notice. On August 12, the email marketing company posted a short blog:
“In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further. We took this action to protect our users’ data, and then acted quickly to notify all primary contacts of impacted accounts and implement an additional set of enhanced security measures. We did not suspend accounts based on their industry, and we are committed to continuing to serve crypto companies.”
Healy added that Mailchimp formally notified the company about the unauthorized access only on August 10. DigitalOcean believed the incident was caused by “an attacker who had compromised Mailchimp internal tooling” and said that its own investigation led it to an IP address pushing the password reset to a number of its customer accounts.
“Our internal logging indicated the attacker IP address x.213.155.164 had successfully changed the password, but in the case below, failed to access the account due to the second-factor authentication on the account. The attacker did not attempt to complete the second factor,” Healy shared. “Correlating password reset events from the attacker IP address via our API logging, we confirmed the small number of DigitalOcean accounts targeted by malicious password resets. Though not all resets were successful.”
DigitalOcean confirmed that the attack ceased after August 7 and that affected accounts were already secured by the team, with their owners notified about the email address exposure.
This is not the first time Mailchimp experienced breaching problems. Back in April, hackers also managed to access the company’s internal tool, affecting other companies, specifically open-source security hardware company Trezor. With this, DigitalOcean said it learned a lot from the incident, especially about the importance of two-factor authentication. The company also said it finally ended its business with Mailchimp last August 9.