This article delves into the recent Mailchimp security breach and how it affected DigitalOcean users. Additionally, it discusses the factors that contributed to the breach, the actions that were carried out to address it, and some key takeaways from the incident.
Companies such as Klaviyo, HubSpot, and Constant Contact have been the targets of malicious attacks in which actors used phishing or social engineering to gain access to employee credentials; however, the recent security breach that exposed DigitalOcean customer email addresses is cause for concern. Here’s a look at what happened and how DigitalOcean discovered it.
What Does Digitalocean Say About the Security Incident?
According to DigitalOcean, the organization discovered that its Mailchimp account had been compromised on August 8. This realization came after it discovered that its emails, such as account confirmations and password resets delivered via Mailchimp, were no longer reaching its customers.
Following an investigation, they learned that their Mailchimp account had been suspended without prior notice or explanation. Mailchimp sent an automated email stating that the account had been temporarily disabled due to a “terms of service” violation. Mailchimp sent the same message to others in the cryptocurrency industry, fueling speculation that the company had kicked crypto content creators off its service.
Key Insights of the Mailchimp Security Incident as Shared by DigitalOcean
Here is a detailed look into the facts shared by DigitalOcean, regarding the Mailchimp security incident:
- Incident Discovery: According to the organization, they discovered the breach on August 8 when Mailchimp disabled their account without warning. This Mailchimp account was used by DigitalOcean to send email confirmations, password reset notifications, and alerts to customers.
- Notification by Existing Customer: On the same day, they received a notification from a customer that their password had been reset without authorization.
- Unauthorized Email Address: Following an investigation, DigitalOcean discovered that an unauthorized email address from the @arxxwalls.com domain had been added to their Mailchimp account and was being used in emails from August 7.
- Migration of Email Services: On August 9, DigitalOcean officially migrated its email services away from Mailchimp. However, there was no response yet from Mailchimp about the security incident that happened on August 8.
- Official Notification by MailChimp on August 10: DigitalOcean claims that they contacted the company after suspecting that their Mailchimp account had been compromised but didn’t hear back until August 10. On August 10, Mailchimp formally notified them of the unauthorized access to their accounts by a threat actor who had gained access to Mailchimp’s internal support tools.
What Happened During the Mailchimp Security Incident at DigitalOcean? What did DigitalOcean discover?
According to DigitalOcean’s investigation, the threat actor attempted to gain access to DigitalOcean accounts by performing password resets using stolen customer email addresses. These password reset requests were sent from the IP address x.213.155.164.
On the other hand, accounts protected by multi-factor authentication (MFA) were not exposed to password reset attempts. DigitalOcean discovered a single IP address pursuing a password reset. Internal logging revealed that the attacker’s IP address x.213.155.164 had successfully changed the password. However, it could not access the account due to its second-factor authentication.
DigitalOcean confirmed that a small number of DigitalOcean accounts were targeted by malicious password resets by correlating password reset events from the attacker’s IP address using their API logging. Despite this, not all resets were successful.
Mailchimp’s Response: What Security Measures has Mailchimp Taken?
Mailchimp reported that cyber attackers from tech organizations are increasingly using a variety of sophisticated phishing and social engineering techniques to target data and information from organizations that deal with cryptocurrencies.
Mailchimp, in response to the recent attack, implemented the following proactive measures:
- Temporarily revoke access to accounts where suspicious activity was found.
- All the primary contacts of the affected accounts were alerted to implement an additional set of improved security measures to protect their data.
DigitalOcean on Guard: Steps Taken by DigitalOcean Following the Incident
Although Digital Ocean has switched to a different email service provider, they are reported to now carry the evaluation of two-factor authentication by default for all DigitalOcean client accounts as a result of the security breach. Additionally, they provided the following important aspects.
- Adoption of Two Factor Authentication: Two-factor authentication prevented the attacker from completely compromising the accounts of a small number of customers. They will collaborate with customers to increase 2FA adoption.
- Improvement in handling with Third Parties: Being infrastructure providers, Digital Ocean claims that they spend huge amounts on maintaining their infrastructure, and their reliance upon third-party services can rather be improved.
- Enhancement of Security Models: Chains of trust can have serious repercussions if they are violated since the environment is delicate. They have mentioned they must enhance threat models and security visibility in their third-party SaaS and PaaS environments.
Should You be Concerned About the Security Incident at Mailchimp?
As the number of cyberattacks increases, companies are becoming more cautious in order to defend themselves against intrusion. Though businesses have responded by increasing their security expenditures and implementing more complex defenses, keeping up with the dangers that may emerge in the next few years is likely to be difficult.
However, despite the ever-increasing cybersecurity dangers and threats to organizations, many businesses are yet to implement cybersecurity policies. According to a recent Upcity study,
- 50% of respondents said, “We currently have a cybersecurity strategy we abide by.”
- 30% said, “At the moment, we don’t have a cybersecurity plan, but we plan on constructing one in 2022.”
- 20% – “At the moment, we do not have a cybersecurity plan and do not anticipate developing one anytime soon.”
The costs of cybercrime include data loss and destruction, stolen money, productivity losses, intellectual property theft, theft of personal and financial data, embezzlement, fraud, disruption of normal business operations following an attack, forensic investigations, the restoration and deletion of hacked systems and data, and reputational damage.
According to Cybersecurity Ventures, worldwide cybercrime expenses would increase by 15% each year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.
Now that you know what exactly happened and the security steps that both Mailchimp and DigitalOcean implemented, it is always better to follow digital and email security principles and practices, as well as use online tools for the same.
This ends our article with certain guidelines that, although the email marketing providers may have been the source of the breaches, it is the responsibility of every organization to investigate and evaluate the third-party risks associated with employing these technologies to ensure that security breaches are avoided.
However, there is no need to be concerned because DigitalOcean claims that when the protection of its customers is challenged, they respond immediately, interact transparently, and assume responsibility, even if the incident’s root cause occurs outside the DigitalOcean system’s perimeter.