Digital Ocean Indirectly Pwned In Attack On Mailchimp

Digital Ocean says some customer email addresses were exposed due to a recent ‘Security incident’ at email marketing company Mailchimp.

  • On August 8th, DigitalOcean discovered that our Mailchimp account had been compromised as part of what we suspect to be a wider Mailchimp security incident that affected their customers, targeted at crypto and blockchain. 
  • From that Mailchimp incident, we suspect certain DigitalOcean customer email addresses may have been exposed. Out of an abundance of caution, we are currently sending email communications to those impacted. 
  • A very small number of DigitalOcean customers experienced attempted compromise of their accounts through password resets. These customers’ accounts have been secured, and have been contacted directly. 
  • As of August 9th, we have migrated email services away from Mailchimp. 
  • No customer information other than email address was compromised, however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account. 

Charming. This is similar the Toronto Symphony Orchestra ransomware hack from a couple of weeks ago. Which is that this was a supply chain attack.

Mark Bower, VP of Product, Anjuna Security:

“There are three things attackers go for – credentials, code and keys, irrespective of platform or architecture. From there, it’s access to sensitive data, sometimes en-masse and catastrophic. The first is the human problem and the easy button for attackers with trusted email being a great place to start to obtain escalated privilege and control, as in this case. But businesses have to look out for insider risk and also get past the unsustainable patch sprints that leave system’s open to compromise like Log4J did to the industry. Escalated privilege – from insiders, attacks, or vulns leaves a massive gap in defenses: operating memory data theft has been missing from risk conversations because it’s not been easy to protect until the arrival of new techniques like confidential computing. With more and more data staying persistent in memory for speed, cloud latency reduction and scaling, it’s becoming a considerable risk – mitigations must therefore include it today and on CISO’s near term roadmap.”

If you take this hack combined with the indirect attack on the TSO, companies should get the message that they have to assess their attack surface including the third party services that they use and see what their risks are. That way they take steps to make sure that they don’t pwned directly or indirectly.

Leave a Reply

%d bloggers like this: