There’s fallout from a recent data breach that hit MailChimp. Digital Ocean has now dropped them as a client.
MailChimp has suffered from a major data breach. Details were scarce for a while, but apparently, a hacker had obtained access to internal tooling. Reports indicate this isn’t the first time MailChimp was hit with a breach, either. From TechTarget:
Mailchimp suffered another data breach earlier this month, and this one cost it a client.
In a statement Friday, Mailchimp disclosed that a security incident involving phishing and social engineering tactics had targeted cryptocurrency and blockchain companies using the email marketing platform. It was the second Mailchimp breach to target cryptocurrency customers in a four-month span.
The breach apparently started to impact customers who use Digital Ocean. Reports started coming in of passwords being reset without authorizations. From Bleeping Computers:
DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers, with a small number receiving unauthorized password resets.
The company says they first learned of the breach after MailChimp disabled their account without warning on August 8th. DigitalOcean used this MailChimp account to send email confirmations, password reset notifications, and alerts to customers.
DigitalOcean says that on the same day, a customer notified their cybersecurity team that their password was reset without authorization.
After an investigation, they found an unauthorized email address from the @arxxwalls.com domain was added to their MailChimp account and used in emails starting on August 7th.
Believing that their MailChimp account was breached, DigitalOcean says they reached out to the company but didn’t hear back until August 10th, when they learned that a hacker had gained access to MailChimp’s internal support tools.
It seems that the incident was enough for Digital Ocean. In a followup story, the company says that they have dropped MailChimp after what happened. From The Register:
In Digital Ocean’s telling of the tale, it took two days before Mailchimp started talking – and involved its lawyers because the email company admitted to “unauthorized access to our [Digital Ocean’s] and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling.”
While Mailchimp was figuring that out, Digital Ocean “decided to immediately migrate critical services away from Mailchimp to another email service provider.” The cloud provider was up and running with another email provided by 11pm ET August 9th.
Digital Ocean has vowed to learn from the experience by implementing two factor authentication more widely, and improving “threat models and security visibility” for its SaaS and PaaS providers so it can better understand how third parties can impact its reliability regimes.
A “very small” number of DigitalOcean customers “may have experienced attempted compromise of their accounts through password resets.” Those customers’ accounts have been secured, and the customers contacted.
One thing is for sure, the chain of events is quite damaging. The lack of communication, the hack taking place in the first place, and an increasingly worrying track record, all doesn’t bode well for MailChimp’s reputation. Given what we know, it’s probably not a surprise that MailChimp was dropped in the first place.
It’s going to take a lot for MailChimp to recover from this – if they are successful at all. There’s no question that there were missteps along the way to get to this point. Still, it was bad enough that their internal tools were compromised. It’s even worse that there was such a lapse in communication on top of it all. That’s gotta hurt.
Drew Wilson on Twitter: @icecube85 and Facebook.
