Mailchimp was hacked again, exposing DigitalOcean customer's email

[Dave1]

Mailchimp again was hacked, exposing DigitalOcean customer's email address,

At Mailchimp, the security of our users’ data is our top priority.

Across the tech industry, malicious actors are increasingly deploying an array of sophisticated phishing and social engineering tactics targeting data and information from crypto-related companies. In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further. We took this action to protect our users’ data, and then acted quickly to notify all primary contacts of impacted accounts and implement an additional set of enhanced security measures. We did not suspend accounts based on their industry, and we are committed to continuing to serve crypto companies. We are reviewing our Standard Terms of Use and Acceptable Use Policy in light of our commitment to bringing innovative crypto solutions to our customers.

We realize this may have caused uncertainty for our crypto-related users and their customers and apologize for the disruption. We are continuing our investigation and proactively providing impacted users with timely and accurate information throughout the process.

https://mailchimp.com/august-2022-security-incident/

And as per DigitalOcean,

- On August 8th, DigitalOcean discovered that our Mailchimp account had been compromised as part of what we suspect to be a wider Mailchimp security incident that affected their customers, targeted at crypto and blockchain.
- From that Mailchimp incident, we suspect certain DigitalOcean customer email addresses may have been exposed. Out of an abundance of caution, we are currently sending email communications to those impacted.
-  A very small number of DigitalOcean customers experienced attempted compromise of their accounts through password resets. These customers’ accounts have been secured, and have been contacted directly.
- As of August 9th, we have migrated email services away from Mailchimp.
- No customer information other than email address was compromised, however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account.

https://www.digitalocean.com/blog/digitalocean-response-to-mailchimp-security-incident


This is not the first time that email servicing Mailchimp have been breached, April 2022, they have been compromised as well,



https://twitter.com/Trezor/status/1510558771944333312

And so the attack on mailing services have been increasing this last couple of months and the hackers getting most of crypto related emails. And this could be another 1 -> end customer.

DigitalOcean for example have notified their users that there could be phishing attacks in the coming weeks as a result of this.

[1715553498]

1715553498

[1715553498]

1715553498

[DdmrDdmr]

Here we go again, with yet another mailmarketing platform to be breached in recent times. There is yet no apparent reference to the amount of crypto related companies affected, nor the extend of the breached data. DigitalOcean claims that, in their case, it was "only" the email, but it’s never just that really. At the bare minimum, the fact that the breached emails belong are customers/prospects for a certain company and/or industry is a big added value for phishing purposes.

Prior to Mailchimp’s statement, those crypto companies that were finding their account inaccessible thought it was an arbitrary action on Mailchimp’s behalf against their crypto clients, and so the media played along with this idea. Now they are selling it as a preventive action (probably more on the post event than on the pre event side of things).

Anecdotally (or not), their Acceptable Use Policy went from (2018,when crypto clause was introduced):

Some industries have higher-than-average abuse complaints, which can jeopardize the deliverability of our entire system. Nothing personal, but in order to maintain the highest delivery rates possible for all our customers, we can’t allow businesses that offer these types of services, products, or content:

<…> Also, we cannot allow businesses involved in any aspect of the sale, transaction, exchange, storage, marketing or production of cryptocurrencies, virtual currencies, and any digital assets related to an Initial Coin Offering, to use MailChimp to facilitate or support any of those activities.

See: https://web.archive.org/web/20180329173005/https://mailchimp.com/legal/acceptable_use/


To (as seen on the 15/08/2022):

Some industries have higher-than-average abuse complaints, which can jeopardize deliverability. In order to maintain the reliability of our platform, we do not allow businesses that offer these types of services, products, or content:

<…> Cryptocurrencies, virtual currencies, and any digital assets related to an Initial Coin Offering

https://web.archive.org/web/20220815080850/https://mailchimp.com/legal/acceptable_use/


Through to their current (set on the 16/08/2022: https://web.archive.org/web/20220816085119/https://mailchimp.com/legal/acceptable_use):

Some industries have higher-than-average abuse complaints, which can jeopardize deliverability. In order to maintain the reliability of our platform, we may not allow businesses that offer these types of services, products, or content:

<…> Cryptocurrencies, virtual currencies, and any digital assets related to an Initial Coin Offering

Edit:
Allegedly, 214 Mailchimp accounts (companies) afected
See: https://www.techtarget.com/searchsecurity/news/252523911/Mailchimp-suffers-second-breach-in-4-months

[hugeblack]

Unfortunately, the customer is the only one affected, so the company’s reputation will increase in the future if the management of economic affairs is well done, because people forget quickly, but I am surprised that the work data is considered so easy, and no person is compensated for damage, and therefore if internal parties hack, no one will ask them.

Also, the reliance of services on third-party applications in providing some of their services wastes accounting efforts and makes this data vulnerable to reading by several other third parties (may be governmental or otherwise).

In general, you should avoid all messages received in your e-mail, except from trusted parties.

[mk4]

There's this quote by Robert S. Mueller: “There are only two types of companies: Those that have been hacked and those that will be hacked.”

While some platforms are far more secure than others hence will take far longer times for a breach to occur, yea, the smaller fish will be breached a lot sooner — like this one.

While it's impossible to not have personal data in today's world, it's your job to make sure you have as much less personal information over the web. Though fortunately in this case it seems like they're confident enough that it's just emails.

[Maus0728]

That's why it's best to use email aliases when signing up/giving an email to any services you used especially when you are buying any crypto related products.

That way, you have more control over the emails being sent to you as you have the option to disable that specific alias, and obfuscate your real email in case hack like this happened.

[hd49728]

It is easy for them to say sorry after any compromise but users bear personal data loss forever.

I don't use same email for different important platforms. If a platform is compromised, only that email is exposed and it is not connected to other personal information.

On another important platform for me to use, I use another email to register account there.

I never save personal information, password, self fie photos ie. in any email or cloud. If I save them digitally, it will be saved on my device.

[Plaguedeath]

That's why it's best to use email aliases when signing up/giving an email to any services you used especially when you are buying any crypto related products.

That way, you have more control over the emails being sent to you as you have the option to disable that specific alias, and obfuscate your real email in case hack like this happened.

AFAIK some third party ask the real or personal email of the owner, not the alias or business email. This is mean they have no choice either follow the exchanges or accept the risk, if the exchanges track the email with the real name, then they might freeze the clients money.

Though I can't search about an accusation related to this case for back up my words.

[DdmrDdmr]

What beats me is how long it takes to get corporate client names around, besides a sparse one here or there that crops-up after a few days. I mean Mailchimp’s hack/leak was essentially sized-up around the 12/08/2022 at the latest, as per this released information. Today is the 19th, and we’re yet to see corporate names pouring-in, besides the known few.

Presumably, we’re talking about 214 affected corporations on this occasion, and although it will down to these companies to communicate the events to their in turn affected customers/leads, being prompt is essential to minimize potential phishing damages. One would have expected that, by now, plenty more corporate names would be known, had they moved to action to communicate with those affected.

[PX-Z]

Looks like we are in an era where privacy is endangered more than anything else particularly this digital era lol. And seems like data privacy protection should be prioritized first together the full control of someone's money.

There should some cryptographic service/ways to handles this kind of problems especially privacy protection.

[NotATether]

Presumably, were talking about 214 affected corporations

Quite thankfully, I am not one of them: I stopped using Mailchimp a long time ago, but for a different reason (practically zero conversion rate).

[Outhue]

I want to ask a security question, if a Mailchimp user get 2FA activated wouldn't the hackers need the code to get through?... I think email users should activate 2fa for their accounts to add an extra security layer.

[noorman0]

I want to ask a security question, if a Mailchimp user get 2FA activated wouldn't the hackers need the code to get through?... I think email users should activate 2fa for their accounts to add an extra security layer.

The authentication feature can be activated by several methods and each has its drawbacks, and especially users who are not very protective of their devices will only use the most flexible methods such as 2fa via phone numbers which actually places their risk even higher. There are at least 6 ways how 2fa can be bypassed according to this article

[vv181]

I want to ask a security question, if a Mailchimp user get 2FA activated wouldn't the hackers need the code to get through?... I think email users should activate 2fa for their accounts to add an extra security layer.

Yes, they can't log in without the 2FA. But this issue isn't breached via the login system, and surely a company like DigitalOcean have known better about it.

We were formally notified on August 10th by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling.

In another hand, the compromised DigitalOcean users' email who uses 2FA, got their account secured from takeover attempts.

[DdmrDdmr]

I want to ask a security question, if a Mailchimp user get 2FA activated wouldn't the hackers need the code to get through?... I think email users should activate 2fa for their accounts to add an extra security layer.

If by user you mean end-user, like you and me, then having 2FA on our personal email has nothing to do with this incident really. Where 2FA does provide some further security, whilst not being invulnerable, is if was added to Mailchip’s corporate customer’s accounts.

Say you and me were amongst DigitalOcean’s customers. Our contact information would be likely stored somewhere at DigitalOcean, and again at Mailchimp in order to carry out DigitalOcean’s email marketing campaigns or such.

Now if you and me have 2FA on our email account won’t manage to contribute anything towards our data being leaked from Mailchimp, nor receiving potential phishing emails. What does make it more difficult is for hackers to access DigitalOcean’s account on Mailchimp, were 2FA to be set by DigitalOcean on their Mailchimp account.

… Nevertheless … if we are talking about some hacker that managed to obtain access to a Mailchimp’s employee’s account, as seems to be the case, we may presume that the employee’s account could have privilages to access data for Mailchimp’s corporate accounts (i.e. DigitalOcean), with disregard to them (DigitalOcean) having 2FA on or off on their account. Afterall, support tends to need to look into customer’s data and configuration, and it would seem weird that they were impeded because of a customer 2FA setting. This is my speculation, but seemingly reasonable.

What could have helped is for employee accounts themselves to have 2FA access to the Mailchimp’s overall system, and to be required to connect through a VPN from a fixed set of firewall approved IPs (perhaps with 2FA on the VPN login itself).