Cloud giant DigitalOcean says some customers’ email addresses have been exposed due to a recent “security incident” at email marketing company Mailchimp.
IN scarce blog post of August 12, just two days after company co-founder and longtime CEO Ben Chestnut has stepped down, Mailchimp said a recent but undated attack saw threats targeting data and information from “crypto-related companies” using phishing and social engineering tactics. Mailchimp has yet to share more details about the incident — or answer TechCrunch’s questions — just months after the hackers compromised an internal Mailchimp tool to access information on 300 accounts.
While Mailchimp has remained silent, DigitalOcean has not, after confirming that it too fell victim to the attack.
IN blog post, DigitalOcean’s head of security Tyler Healy said the company discovered its Mailchimp account had been compromised on Aug. 8 after finding that its emails, such as account confirmations and password resets, delivered through Mailchimp were stopped reaching her customers. The investigation found that DigitalOcean’s Mailchimp account was suspended without warning or explanation. An automated email from Mailchimp says the account has been temporarily disabled due to a “terms of service” violation. Mailchimp sent the same message to others working in the crypto industry, fueling speculation that the company has kicked crypto content creators off its service.
At the same time, Healy says DigitalOcean’s security team was notified by one of the customers who claimed their password had been reset without their consent.
DigitalOcean says it took two days for the company to hear back from Mailchimp, confirming on August 10 that the DigitalOcean account had been compromised and that Mailchimp had suspended the account as a result. DigitalOcean said it understands an attacker has “compromised Mailchimp’s internal tools.”
Healy said a “very small number” of DigitalOcean customers have experienced attempts to compromise their accounts through password resets. TechCrunch asked DigitalOcean how many users were affected, but has yet to receive a response.
In its brief explanation of the incident, Mailchimp says it has taken “proactive measures to temporarily suspend account access for accounts where we have detected suspicious activity while we investigate the incident further,” adding: “We took this action to protect the data of our users and then acted quickly to notify all key contacts of the affected accounts and implement an additional set of enhanced security measures.
In an email sent to one affected customer that TechCrunch saw, Mailchimp said it had become aware of “potential unauthorized activity” on users’ accounts and advised “notifying your contacts that they should be extremely vigilant for any phishing attacks that appear to come from your company or company account.”
Mailchimp said it has notified affected customers directly. DigitalOcean said it has migrated its email service from MailChimp.
DigitalOcean noted that the use of two-factor authentication saved a handful of customers targeted by the attacker from full account compromise, and as such, the company plans to implement two-factor security by default for all DigitalOcean accounts.
“The ecosystem is fragile and chains of trust, when broken, can have significant downstream consequences,” Healy said.
News of the Mailchimp breach comes shortly after the encrypted messaging app Signal said it was affected by the recent Twilio breach. provider of SMS and voice communications. Signal said the attackers gained access to the phone numbers and SMS verification codes of 1,900 users.