Developer cloud infrastructure provider DigitalOcean Holdings Inc. is warning some customers today that their email addresses may have been exposed following a new data breach at Intuit Inc.-owned email marketing provider Mailchimp.
The breach, the second this year after an earlier one in April, was disclosed by Mailchimp in a notice published Aug. 12. The breach was described only as a “security incident targeting crypto companies.” Mailchimp said it had “taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity.”
The notice, however, appears to have not fully encompassed the depth of the breach. Bleeping Computer reported today that DigitalOcean was first informed of the breach on Aug. 8 and that the company was using its Mailchimp account to send email confirmations, password reset notifications and alerts to customers.
In a blog post, DigitalOcean said it first became aware of an issue when its Mailchimp account was suspended. After receiving a notification from Mailchimp, Digital Ocean then became aware that a customer had his password reset without his initiation.
“Recognizing a likely connection between our sudden loss of transactional email, and potentially malicious password resets, which are delivered via email, a security incident and investigation was launched in parallel with the teams addressing our email outage,” DigitalOcean said.
Unlike the scant details provided by MailChimp, DigitalOcean’s investigation narrowed down an IP address used by those who were using the compromised email accounts to target the customers. The attackers were using the compromised emails to send fake password reset emails to customers. The link in the email took those customers to a fake website that prompted them to enter their existing passwords.
DigitalOcean did say it believes that only a “very small number” of customers were targeted by fake password reset requests and that those who may have been affected have been informed. Because of the attack, DigitalOcean said that it had migrated its email services away from Mailchimp.
“This is another example of a situation where a security incident at one point in the supply chain has caused significant issues for their customers,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “For cybercriminals, gaining access to an email service such as Mailchimp could reap huge benefits as they would be able to send phishing emails to customers from a known and trusted account.”
Customers of DigitalOcean should be on alert for potential phishing emails that seem like they come from the organization, Kron added. “Organizations that use the Mailchimp service should be asking tough questions of the provider,” he said. “Educating employees on how to spot and report email phishing is an important security control for organizations of all sizes, especially given the damage suffered by falling for a phishing attack.”
Matt Chiodi, chief trust officer at cybersecurity firm Cerby Inc., also warned that the breach highlights the risk of applications that don’t support common security standards such as single sign-on.
“Security and IT teams focus the majority of their time on crown jewel applications like SalesForce, SAP and legacy applications,” Chiodi explained. “While this is important, they have a massive gap in their security posture. Every enterprise uses unmanageable applications, so instead of going after the crown jewels directly, criminals go through the back door – breaking in through these cloud applications that don’t support common security standards.”