Junior cloud Digital Ocean has revealed that some of its clients’ email addresses were exposed to attackers, thanks to an attack on email marketing service Mailchimp.
This story starts last week when some of the blockheads in crypto-land noticed that email marketing service Mailchimp had suspended service for some of their fellow travellers. Reports such as this missive noted that Mailchimp has previously ditched crypto clients for generating more abuse reports than other customers, and the company’s Acceptable Use Policy therefore warns it may decide not to serve companies that offer “Cryptocurrencies, virtual currencies, and any digital assets related to an Initial Coin Offering.”
Some elements of crypto-land assumed hostility to crypto was behind the disappearance of some blockheaded newsletters sent by Mailchimp.
Intuit sued over alleged cryptocurrency thefts via Mailchimp intrusion
But last Friday the company statedan attack on its services was the reason for some newsletters blowing deadlines.
“Across the tech industry, malicious actors are increasingly deploying an array of sophisticated phishing and social engineering tactics targeting data and information from crypto-related companies,” states Mailchimp’s August 12th explainer. “In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further.”
Digital Ocean on Monday revealed that on August 8th its engineering team noticed that Mailchimp had stopped delivering emails such as confirmations, password resets, email-based alerts for product health, and “dozens of other transactional emails”.
The reason for that outage was that Mailchimp had suspended Digital Ocean’s account, without any warning or explanation. Despite Digital Ocean being a cloud company that just last week announced its clients were undertaking less blockchain-related activity.
At around the same time, Digital Ocean’s security ops team “was made aware of a customer who claimed their password had been reset, without their initiation.”
Digital Ocean assumed that the email outage and unauthorised password reset were connected, and on August 8th asked Mailchimp for an explanation.
In Digital Ocean’s telling of the tale, it took two days before Mailchimp started talking – and involved its lawyers because the email company admitted to “unauthorized access to our [Digital Ocean’s] and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling.”
While Mailchimp was figuring that out, Digital Ocean “decided to immediately migrate critical services away from Mailchimp to another email service provider.” The cloud provider was up and running with another email provided by 11pm ET August 9th.
Digital Ocean has vowed to learn from the experience by implementing two factor authentication more widely, and improving “threat models and security visibility” for its SaaS and PaaS providers so it can better understand how third parties can impact its reliability regimes.
A “very small” number of DigitalOcean customers “may have experienced attempted compromise of their accounts through password resets.” Those customers’ accounts have been secured, and the customers contacted.
Mailchimp’s explanation of the incident mentions only a continued investigation and an insistence it did not discriminate against crypto-centric clients. But the company’s statement does not mention its poor security record: in April 2022 it was cracked by crooks who stole crypto customers’ email lists. ®