DigitalOcean customers affected by Mailchimp “security incident”

A recent attack targeting crypto-related users of Mailchimp has ended up affecting users of cloud infrastructure provider DigitalOcean, the latter company has announced on Monday.

“On August 8th, DigitalOcean discovered that our Mailchimp account had been compromised as part of what we suspect to be a wider Mailchimp security incident that affected their customers, targeted at crypto and blockchain. From that Mailchimp incident, we suspect certain DigitalOcean customer email addresses may have been exposed,” shared Tyler Healy, VP Security at DigitalOcean.

What happened?

Mailchimp is an email marketing automation platform, which DigitalOcean uses – or did use, until this incident – to deliver “email confirmations, password resets, email-based alerts for product health, and dozens of other transactional emails” to its users.

“At 3:30pm ET on August 8th, 2022 transactional emails from our platform, delivered through Mailchimp, stopped reaching our customers’ inboxes,” Healy explained.

“During that same timeframe on August 8th, our Security Operations team was made aware of a customer who claimed their password had been reset, without their initiation. Recognizing a likely connection between our sudden loss of transactional email, and potentially malicious password resets, which are delivered via email, a security incident and investigation was launched in parallel with the teams addressing our email outage.”

The investigation discovered that DigitalOcean’s Mailchimp account had been compromised, and soon after suspended by Mailchimp.

Also, that the compromised Mailchimp account provided the attacker with email addresses of DigitalOcean customers, allowing them to initiate malicious password resets against a “limited set” of accounts.

Some of the password reset attempts were not successful, but some were. At least one account takeover attempt was foiled by the fact that the attacker wasn’t able to get their hands on the second authentication factor needed to access to the account.

Healy said that the customers’ accounts that have been targeted “have been secured, and [it’s owners] have been contacted directly.”

Attempted compromise via third party

The incident spurred DigitalOcean to end their collaboration with Mailchimp and go with another email service provider.

The company also learned that the chains of trust, when broken, can have significant downstream consequences. “Our threat models and security visibility must improve in our third-party SaaS and PaaS environments,” Healy noted.

Finally, the incident will spur them to push customers towards enabling 2-factor authentication on their account, while they are simultaneously thinking about making “two-factor authentication on-by-default for all DigitalOcean customer accounts.”

Since the attacker grabbed customer emails addresses, the company is also warning users about possible phishing attempts in the coming weeks.

In third-party-compromise-related news, the recent Twilio breach has resulted in the compromise of phone numbers or SMS verification codes of 1,900 registered Signal users.