On August 8, the company discovered that its Mailchimp account had been compromised as part of what “we suspect to be a wider Mailchimp security incident that affected their customers, targeted at crypto and blockchain”, DigitalOcean’s head of security Tyler Healy.
MailChimp Security Breach
According to the recent blog post from DigitalOcean, transactional emails from the platform, delivered through Mailchimp, stopped reaching DigitalOcean customers’ inboxes. This was observed during the internal test run by engineering teams.
It was also found that the Mailchimp account had been suspended, with no access, and no other information is provided by Mailchimp. Therefore DigitalOcean customers’ email confirmations, password resets, email-based alerts for product health, and dozens of other transactional emails were not reaching their destination.
“One of the first discoveries was a non-DigitalOcean email address that appeared on a regular email from Mailchimp on August 7th. The [@]arxxwalls.com email was not there on a similar Mailchimp email on August 6th. This led us to strongly believe our Mailchimp account was compromised”, according to Digital Ocean.
After finding out the issue, DigitalOcean started to reach our Mailchimp through support channels. The company says on August 10th, first actionable response, and conversation with the Mailchimp/Intuit Legal team to understand the impact of the incident.
DigitalOcean said it understands that an attacker “compromised Mailchimp internal tooling.” Further the attackers utilized the stolen customer email addresses to try and gain access to DigitalOcean accounts by performing password resets. The internal logging points out the attacker IP address x.213.155.164.
The company confirmed the small number of DigitalOcean accounts targeted by malicious password resets. Although not all resets were successful. DigitalOcean has migrated critical services away from Mailchimp to another email service provider and critical transactional emails were back online.
“In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further,” reads the advisory from MailChimp.
Finally DigitalOcean says that two-factor authentication saved a handful of customers targeted by the attacker from complete account compromise.
Therefore the company decided to assess two-factor authentication on-by-default for all DigitalOcean customer accounts. It is recommended to enable 2FA on your account.“We recently experienced a security incident in which unauthorized actors targeted Mailchimp’s crypto-related users by employing sophisticated phishing and social engineering tactics. Based on our investigation to date, it appears that 214 Mailchimp accounts were affected by the incident.” – MailChimp.