DigitalOcean Customer Data Leaked in Mailchimp Breach

Laptop Screen with DigitalOcean Logo on a White Background

Cloud computing company DigitalOcean announced on Monday that the email addresses of some of its customers may have been exposed after its email services provider, Mailchimp, suffered a data breach earlier this month.

DigitalOcean said it has secured the compromised accounts and notified the affected customers. Nonetheless, the company cautioned its customers to be on high alert for potential phishing attacks in the coming weeks.

Earlier this month, Mailchimp released a statement regarding a “security incident.” While the company hinted that the phishing attack specifically targeted “crypto-related users,” it did not provide further details about the extent of the breach and how the attackers gained access to its systems.

Mailchimp said it temporarily suspended some accounts after noticing “suspicious activity” and is investigating the incident.

“We realize this may have caused uncertainty for our crypto-related users and their customers and apologize for the disruption,” Mailchimp said in a statement. “We are continuing our investigation and proactively providing impacted users with timely and accurate information throughout the process.”

This is the second high-profile social engineering attack targeting Mailchimp this year. In March, a malicious actor breached the platform and accessed customer accounts. Shortly after the incident, Trezor, a Mailchimp customer, reported that its users received malicious emails directing them to install a fake Trezor Suite.

Mailchimp Suspended DigitalOcean’s Account Without Warning

DigitalOcean said it found that its Mailchimp account was suspended on August 8 after transactional emails — sent via Mailchimp — stopped reaching its customers.

“For DigitalOcean, and our customers, this meant email confirmations, password resets, email-based alerts for product health, and dozens of other transactional emails were not reaching their destination,” DigitalOcean said in a blog post.

On the same day, a customer contacted DigitalOcean’s Security Operations team, claiming their password was reset without their consent. Suspecting a connection between the suspended Mailchimp account and the customer’s complaint, DigitalOcean launched an investigation into the incident.

During their investigation, the company’s security team discovered a non-DigitalOcean email address in a “regular email from Mailchimp on August 7th.”

The domain name linked to the suspicious email address — @arxxwalls.com — is used for “callback” phishing attacks, according to Bleeping Computer. Using this domain, scammers reportedly send their targets phishing emails pretending to be from an antivirus company. The goal is to get their targets to call a listed number and coerce them into divulging sensitive information during the call.

Usually, these phishing emails state that the user must act quickly to stop a fraudulent transaction or to resolve a cybersecurity emergency. We have reported on a similar scam where malicious actors impersonate PayPal and other renowned organizations to con their victims.

DigitalOcean Migrates to Another Email Service Provider

DigitalOcean said it did not receive any prior notice from Mailchimp regarding the suspended account. The email services provider only responded to DigitalOcean on August 10 after attempts to contact them “via traditional support channels and other escalation methods.”

“We were formally notified on August 10th by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling,” DigitalOcean explained.

DigitalOcean said while it investigated the incident, it decided to migrate its critical services to a different, undisclosed email service provider.

“After working around the clock, our critical transactional emails were back online with another provider at 11pm ET August 9th,” the company said.

Two-Factor Authentication Prevented Attacker From Accessing Some Accounts

DigitalOcean’s investigations show that the attack originated from a single IP address — x.213.155.164. The attacker initiated a password reset for a number of DigitalOcean accounts. Although the threat actor successfully changed the passwords of several accounts, they could not access accounts with two-factor authentication.

In the aftermath of this incident, DigitalOcean has encouraged all its customers to enable two-factor authentication on their accounts.

“Additionally, related but not as a direct result of this incident, we are evaluating two-factor authentication on-by-default for all DigitalOcean customer accounts,” DigitalOcean noted.

Using a secure password is simply not enough anymore. Most online services recommend users activate two-factor authentication to add a second layer of security to their accounts. To learn about the importance of this authentication method, check out our article on two-factor authentication.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.