Mailchimp suffered another data breach earlier this month, and this one cost it a client.
In a statement Friday, Mailchimp disclosed that a security incident involving phishing and social engineering tactics had targeted cryptocurrency and blockchain companies using the email marketing platform. It was the second Mailchimp breach to target cryptocurrency customers in a four-month span.
Though Mailchimp said it has suspended accounts where suspicious activity was detected while an investigation is ongoing, it did not reveal the source of the breach or scope of the attack.
More details were provided Sunday by one of the affected customers, DigitalOcean, which cut ties with Mailchimp on Aug. 9.
The cloud hosting provider observed suspicious activity beginning Aug. 8, when threat actors used its Mailchimp account for "a small number of attempted compromises" of DigitalOcean customer accounts -- specifically cryptocurrency platforms.
While it is not clear whether any DigitalOcean accounts were compromised, the company did confirm that some email addresses were exposed. More importantly, the statement attributed a potential source of the most recent Mailchimp breach.
"We were formally notified on August 10th by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling," DigitalOcean wrote in a statement.
In the earlier breach, which was disclosed in April, Mailchimp CISO Siobhan Smyth said threat actors gained control of the company's internal tooling, which led the attacker to gain access to employee credentials and use the information for targeted phishing attacks of cryptocurrency platform customers.
Mailchimp sent the following statement to TechTarget Editorial regarding the latest attack:
We recently experienced a security incident in which unauthorized actors targeted Mailchimp's crypto-related users by employing sophisticated phishing and social engineering tactics. Based on our investigation to date, it appears that 214 Mailchimp accounts were affected by the incident.
In an abundance of caution, when we detect suspicious activity in our users' accounts, we take proactive steps to temporarily suspend account access. All owners of impacted accounts have been notified, and we're working diligently to reinstate accounts. We are continuing our investigation and proactively providing impacted users with timely and accurate information throughout the process.
Two-factor authentication to the rescue
During this month's attack, password resets were leveraged to compromise the DigitalOcean accounts. While some customer passwords were successfully changed, two-factor authentication prevented the threat actor from going further. The attacker did not even attempt to complete the second factor, according to the company's statement.
Cloud providers such as AWS have repeatedly pushed multifactor authentication as an essential security practice. Though DigitalOcean said no customer information other than email addresses was compromised in the attack, it is exploring on-by-default two-factor authentication for all accounts.
"Two-factor authentication saved a handful of customers targeted by the attacker from complete account compromise," the DigitalOcean statement read. "We will lean in with our customers to expand 2fa adoption."
Another weakness the incident highlighted was a reliance on third parties and the potential associated risks, such as business disruption. DigitalOcean said it needs a better plan to account for downtime from third parties. The company also pledged to improve security around third-party partners.
"The ecosystem is fragile, and chains of trust, when broken, can have significant downstream consequences," DigitalOcean said. "Our threat models and security visibility must improve in our third-party SaaS and PaaS environments."