New MailChimp breach exposed DigitalOcean customer email addresses (2024)

DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers, with a small number receiving unauthorized password resets.

The company says they first learned of the breach after MailChimp disabled their account without warning on August 8th.DigitalOcean used this MailChimp account to send email confirmations, password resetnotifications, and alerts to customers.

DigitalOcean says that on the same day, a customer notified their cybersecurity team that their password was reset without authorization.

After an investigation, they found an unauthorized email address from the @arxxwalls.com domain was added to their MailChimp account and used in emails starting on August 7th.

Believing that their MailChimp account was breached, DigitalOceansays they reached out to the company but didn't hear back until August 10th, when they learned that a hacker had gained access to MailChimp's internal support tools.

"We were formally notified on August 10th by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling," explains a security advisory from DigitalOcean.

Further investigations showed that the threat actor used the stolen customer email addresses to try and gain access to DigitalOcean accounts by performing password resets. These password reset requests originated from the IP address x.213.155.164.

However, those accounts using multi-factor authentication were protected from the password reset attempts.

DigitalOcean has since switched to another email service provider.The company notified affected customers about the data breach yesterday.

BleepingComputer contacted DigitalOcean last night with further questions about the breach but did not receive a response.

MailChimp hacked again

As for MailChimp, a security advisory posted on August 12th does notprovidemuch information other than saying it targeted crypto-related customers.

"In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further," reads the short advisory from MailChimp.

"We took this action to protect our users’ data, and then acted quickly to notify all primary contacts of impacted accounts and implement an additional set of enhanced security measures.

However, in response to questions about the breach, MailChimp told BleepingComputer that they were breached throughphishing and social engineering tactics that allowed the hackers to access214 MailChimp accounts.

"We recently experienced a security incident in which unauthorized actors targeted Mailchimp’s crypto-related users by employing sophisticated phishing and social engineering tactics. Based on our investigation to date, it appears that 214 Mailchimp accounts were affected by the incident." - MailChimp.

MailChimp told us they are working to reinstate accounts and investigate the incident.

Other MailChimp customers known to have beensuspended without notification are Edge Wallet, Cointelegraph, NFT creators,Ethereum FESP, and Messari and Decrypt.

MailChimp's internal support toolswere also breached in April 2022to target cryptocurrency-related customers. The audience data stolen during that breach led to amassive phishing campaign targeting Trezorhardware wallet customers.

After the Ciscodisclosed how hackers breached their networkin what should be a model of transparency, MailChimp'sscant advisoryis deafening.

Thearxxwallsdomain

As part of DigitalOcean's disclosure, they mention that an email address from the @arxxwalls.com domain was added as a sender to its MailChimp account.

While the owner of thearxxwalls.com domain states that it is not used for illegal activity, it has been abused by numerous scams, operators of fake companies, and phishing attacks.

Furthermore, research by BleepingComputer shows that the domain is being used forcallback phishing attacks that pretend to be antivirus subscriptions.

Callback attacks are a new type of hybrid phishing seeing enormous growththat starts with an email pretending to be from a legitimate company. These emails warn recipients that they must take action to prevent a cybersecurity incident or the renewal of a grossly overpriced support/antivirus subscription.

Included in these emails is a phone number that, when called, will be used to steal information from the victim or to prompt the recipient to install remote access software on their device.

The threat actors use this remote access to breach the network of the victim, commonly used to conduct data extortion or ransomware attacks.