DigitalOcean Suspects Mailchimp Hack in Account TakeoverVictim Emails Exposed in Third-Party Data Breach Involving Mailchimp
Attackers are attempting to reset the passwords of some DigitalOcean customers, the cloud infrastructure provider says. Email addresses of these customers were exposed in a data breach involving Mailchimp, which provided transactional email services to DigitalOcean.
Timeline of Events
DigitalOcean says Mailchimp suspended its account on Aug. 8 without notice, citing "terms of service violation." The move affected email confirmations, password reset requests, email-based alerts and other transactional email services, DigitalOcean says.
The same day, DigitalOcean's security team learned that a customer’s password had been reset without authorization. The company says it secured the account and also found the IP address -
x.213.155.164 - the attacker used to send the reset request.
A deeper probe revealed that attackers had attempted to reset other accounts in a similar fashion. But the attackers were unsuccessful in their attempt, as all the targeted accounts were secured with two-factor authentication, DigitalOcean says. The attacker "did not attempt to complete second factor," it says. The company did not specify the number of accounts targeted.
The Mailchimp Connection
On Aug. 10, two days after the suspension of Mailchimp's services, Mailchimp notified DigitalOcean about a data breach. "We were formally notified on August 10 by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling," DigitalOcean says.
Mailchimp did not respond to Information Security Media Group's request for details about other companies that may have been affected by the data breach.
Cryptocurrency hard wallet provider Trezor was the victim of a similar compromise involving Mailchimp in April, when attackers accessed 319 Mailchimp accounts, exporting 102 of them from the company servers. At that time, Mailchimp CISO Siobhan Smyth told ISMG the breach had targeted customers in the cryptocurrency and finance industries (see: Targeted Mailchimp Breach Affects Trezor Crypto Customers).
Another factor that hinted at Mailchimp's involvement in the latest incident was the addition of an irregular domain in Mailchimp's emails on Aug. 7. DigitalOcean's security team found an irregular email address, with
@arxxwalls.com domain added in the emails sent by Mailchimp to its customers. This code was not present in emails the company sent the day before, prompting DigitalOcean to "strongly believe" that its Mailchimp account had been compromised.
ISMG found that the
arxxwalls.com domain directs users to a webpage where the owner claims that it is a public email service that does not "engage in illegal activities." The message on the website asks users to ban the IP address from which malicious requests are being sent instead of the domain name.
DigitalOcean says the incident underscores the need to design threat models and have security visibility into its third-party SaaS and PaaS environments.
The company says its business continuity plan needs to account for downtime from third parties. "Modeling loss of services where we rely on third parties can be improved," DigitalOcean says.
A majority of cloud applications do not support identity standards, making them "unmanageable," says Matt Chiodi, chief trust officer at security startup Cerby and a former chief security officer of cloud at Palo Alto Networks. The problem is that every enterprise has this type of applications, but security teams are unaware of the risks associated with them, he says.
"Instead of going after legacy applications, criminals take the backdoor route of cloud applications that lack compliance to even common security standards. This is akin to securing the front door and leaving the back door wide open," Chiodi tells ISMG.
DigitalOcean is also exploring implementing a default two-factor authentication service for all its customers, as the accounts with this security layer were protected from compromise in the latest incident.