New York-based cloud infrastructure provider DigitalOcean recently issued a warning that a security breach at US marketing platform Mailchimp had exposed the email addresses of some of its customers. A small number of these individuals also had their passwords reset without giving authorisation.
Discovery of a data leak
DigitalOcean stated that it first learned of the incident after Mailchimp disabled the provider’s account without any warning in early August. DigitalOcean had been using the Mailchimp account to issue email confirmations, alerts and password reset notifications to its customer base.
The provider added that on the same day that its Mailchimp account was deactivated (August 8), a customer informed its cybersecurity team that their personal password had been reset without their authorisation. Following an investigation, DigitalOcean found an unauthorised email address from a domain called @arxxwalls.com had been added to its Mailchimp account and been used in emails from August 7 onwards.
Fearing that its Mailchimp account was breached, the provider reached out to the email marketing company but did not receive a reply until August 10, when it learned that a threat operator had gained access to internal support tools belonging to Mailchimp.
A security advisory from DigitalOcean explained:
“We were formally notified on August 10th by Mailchimp of the unauthorised access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling.”
Upon further investigation, it was discovered that the threat operator utilised stolen customer email addresses to attempt to gain access to dedicated DigitalOcean accounts through a password reset ploy. The password reset requests were tracked and found to originate from an IP address x.213.155.164.
Fortunately, many of the accounts were using multi-factor authentication and thus protected from reset attempts.
Dissatisfied with the security offered, DigitalOcean has now switched to a new email service provider. The firms then notified impacted customers about the breach.
Mailchimp offers information on attack
A security advisory was issued by Mailchimp on August 12, stating that the recent attack on its system was aimed at crypto-currency related users. The email marketing company commented:
“In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further. We took this action to protect our users’ data, and then acted quickly to notify all primary contacts of impacted accounts and implement an additional set of enhanced security measures.”
Discussing the breach with computer help site BleepingComputer, Mailchimp added that its systems had been breached using sophisticated social engineering and phishing tactics that enabled hackers to access over 200 Mailchimp accounts.
DigitalOcean is not the only firm to have its Mailchimp account disabled unceremoniously. Other customers with suspended accounts without receiving a notification include Edge Wallet, NFT creators, Cointelegraph, Ethereum FESP, Decrypt and Messari. This also not the first time that Mailchimp’s internal tooling has been breached. In April this year, another breach was aimed at crypto-related customers.
Mailchimp continues to investigate the breach and its teams are working to reinstate customer accounts.