digitalocean says customer email addresses were exposed after latest mailchimp breach

Cloud giant DigitalOcean says that some customers’ email addresses were exposed because of a recent “security incident” at email marketing company Mailchimp.

In a scant blog post dated August 12, just two days after the company’s co-founder and long-time CEO Ben Chestnut stepped down, Mailchimp said a recent but undated attack saw threat actors targeting data and information from “crypto-related companies” using phishing and social engineering tactics. Mailchimp hasn’t yet shared any further details about the incident — or responded to TechCrunch’s questions — just months after hackers compromised an internal Mailchimp tool to access information on 300 accounts.

While Mailchimp is keeping quiet, DigitalOcean is not, after confirming it also fell victim to the attack.

In a blog post, DigitalOcean’s head of security Tyler Healy said the company discovered its Mailchimp account was compromised on August 8 after finding its emails, like account confirmations and password resets delivered via Mailchimp, stopped reaching its customers. Its investigation found that DigitalOcean’s Mailchimp account was suspended without warning or explanation. An automated email from Mailchimp said the account had been temporarily disabled due to a “terms of service” violation. Mailchimp sent the same message to others working in the crypto industry, fueling speculation that the company had dropped crypto content creators from its service.

At the same time, Healy says DigitalOcean’s security team was made aware by one of its customers who claimed their password was reset without their consent.

DigitalOcean says it took two days for the company to receive a response from Mailchimp, confirming on August 10 that DigitalOcean’s account was compromised and that Mailchimp suspended the account as a result. DigitalOcean said it understands that an attacker “compromised Mailchimp internal tooling.”

Healy said a “very small number” of DigitalOcean customers experienced an attempted compromise of their accounts through password resets. TechCrunch asked DigitalOcean how many users were affected but has yet to receive a response.

In its short explanation of the incident, Mailchimp says it took “proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further,” adding: “We took this action to protect our users’ data, and then acted quickly to notify all primary contacts of impacted accounts and implement an additional set of enhanced security measures.”

In an email sent to one affected customer that TechCrunch has seen, Mailchimp said it became aware of “potential unauthorized activity” in the users’ account and advises “letting your contacts know they should be extra vigilant about any phishing attacks that appear to come from your company or company’s account.”

Mailchimp said it has notified affected customers directly. DigitalOcean said it has migrated its email service away from MailChimp.

DigitalOcean noted that the use of two-factor authentication saved a handful of customers targeted by the attacker from complete account compromise and, as such, the company is planning to implement two-factor security by default for all DigitalOcean accounts.

“The ecosystem is fragile, and chains of trust, when broken, can have significant downstream consequences,” said Healy.

News of Mailchimp’s breach lands not long after encrypted messaging app Signal said it was affected by the recent breach of Twilio. a provider of SMS and voice communications. Signal said attackers accessed phone numbers and SMS verification codes for 1,900 users.

Read more:

Twilio hacked by phishing campaign targeting internet companies Signal says 1,900 users’ phone numbers exposed by Twilio breach How two-factor authentication can protect you from account hacks

TECH NEWS RELATED

Perceptron: Multilingual, laughing, Pitfall-playing and streetwise AI

Research in the field of machine learning and AI, now a key technology in practically every industry and company, is far too voluminous for anyone to read it all. This column, Perceptron, aims to collect some of the most relevant recent discoveries and papers — particularly in, but not limited to, ...

View more: Perceptron: Multilingual, laughing, Pitfall-playing and streetwise AI

Steve Case is trying to make money with founders outside Silicon Valley; his plan is starting to work

Steve Case, the cofounder of America Online, the investment firm Revolution, and its offshoot seed-stage arm Rise of the Rest, has a new book out called Rise of the Rest: How Entrepreneurs in Surprising Places are Building the New American Dream. In it, Case argues that Covid was a ...

View more: Steve Case is trying to make money with founders outside Silicon Valley; his plan is starting to work

Daily Crunch: London-based spatial computing startup Hadean closes $30 million Series A

To get a roundup of TechCrunch’s biggest and most important stories delivered to your inbox every day at 3 p.m. PDT, subscribe here. It’s Friday, and that means… Actually, we don’t even really know what that means anymore, other than that we’re going to sit in the sunshine and bask ...

View more: Daily Crunch: London-based spatial computing startup Hadean closes $30 million Series A

The ‘ideal runway’ is a myth, isn’t it?

When it comes to advice, tech loves standardization. Startups are often told that there are certain metrics to hit, deadlines to meet, timetables to measure themselves against. Examples abound: Here’s the ideal amount of money to raise at your Series A round; here’s how many employees you should have ...

View more: The ‘ideal runway’ is a myth, isn’t it?

Mighty Capital’s thesis is that the best product wins – even more so in a downturn

When founders are laying off staff and cutting costs to face the downturn, it may seem like odd timing to tell startups to take their product as seriously as ever. In a recession, do users really care about product experience? Yes, says Mighty Capital, whose portfolio includes companies such ...

View more: Mighty Capital’s thesis is that the best product wins – even more so in a downturn

Triller settles lawsuit with Timbaland and Swizz Beatz

Last month, Grammy-winning artists Timbaland and Swizz Beatz sued TikTok competitor Triller for $28 million. Triller acquired their livestream event series Verzuz last year, but the two musicians alleged that the social app had missed several large payments, prompting them to file a lawsuit. Now, Triller has settled with ...

View more: Triller settles lawsuit with Timbaland and Swizz Beatz

How a pivot helped HopSkipDrive emerge successful in a sector where many failed

Joanna McFarland got the idea for HopSkipDrive in 2014 because she needed a solution to a problem that many working parents like herself face: How do you consistently get your kids where they need to be on time? The idea was sparked at a birthday party she attended with ...

View more: How a pivot helped HopSkipDrive emerge successful in a sector where many failed

How Blaseball’s fantasy sports fever dream is embracing the future

A star pitcher is resurrected from the Hall of Flame. A Hellmouth swallows the state of Utah. Crows descend on Tastykake Stadium, pecking slugger Jessica Telephone out of a peanut shell. This is Blaseball, the absurdist baseball simulator that captured the most delightfully wacky corners of the internet when it ...

View more: How Blaseball’s fantasy sports fever dream is embracing the future

Byju’s clears $230 million payment to Blackstone for $1 billion Aakash deal

Smaller Dreamforce still comes up big in first live meeting in three years

GM invests in Canadian battery recycler to fight supply shortage

The case for US venture capital outperformance

FTX, Uniswap and Visa talk blockchain economy and opportunity at Disrupt

TechCrunch+ roundup: LatAm startup strength, global chip shortage, Visa Bulletin update

Volkswagen and Belgian utility giant partner on vehicle-to-grid energy storage

Declining VC investment into LatAm startups could throttle digital growth

Industry experts comment on mini-budget announcement

TikTok is releasing its comment dislike button to all users worldwide

The $5.6B epicenter of Ford’s EV effort is now under construction

When VCs fund the thing you didn’t think they’d ever fund

OTHER TECH NEWS

Top Car News Car News