Alex - stock.adobe.com
Namecheap email system hacked, used for phishing campaign
While the domain registrar said it was not breached directly, it did confirm its third-party email system was compromised Sunday and warned customers not to open any unauthorized emails.
Namecheap is investigating a security incident involving a phishing campaign that stemmed from a compromised email system, though the source of the breach remains unclear.
In a status update Sunday night, Namecheap confirmed its upstream email system had been hacked and warned customers of an ongoing phishing campaign. The emails appeared to be legitimate, as they were sent from Namecheap's account. The domain registrar -- which was applauded for recent security improvements -- said its own systems were not breached, however, and that products, accounts and personal information were unaffected.
Though the email gateway issue appears to be resolved, questions remain around the origin of the breach. Namecheap blamed the compromise on its third-party email system, revealed to be SendGrid, but Twilio confirmed to TechTarget Editorial its acquired email platform was not breached.
"This situation is not the result of a hack of compromise of Twilio's network," a Twilio spokesperson said in an email to TechTarget Editorial. "We are still investigating the situation and have no additional information to provide at this time."
Namecheap CEO weighs in
While the Namecheap advisory does not name the third-party email provider, Namecheap CEO Richard Kirkendall provided additional information in a series of Twitter posts starting Sunday night. Most notably, he confirmed Namecheap utilizes SendGrid email marketing services, and strongly suggested the Twilio-owned company was hacked.
Beginning Saturday, concerned users and security researchers shared screenshots on Twitter of fake DHL delivery and MetaMask cryptocurrency wallet emails using the Namecheap domain. Kirkendall replied to a high number of those posts and confirmed Namecheap was looking into the incident.
To be clear, the issue was within a 3rd party provider that we use to send our newsletter. None of our own systems or customer accounts where breached. I sent a follow up email to all users that were affected. The domains linked in the original phishing emails were also disabled.— Richard Kirkendall (@NamecheapCEO) February 13, 2023
In some of those replies, he said the recent compromise may be related to a 2022 security incident where the API keys of email marketing companies, Mailchimp, Mailgun and SendGrid were leaked. Kirkendall confirmed Namecheap shut down all SendGrid emails.
Beyond that, the advisory Sunday revealed all emails were stopped, including authorization code delivery, two-factor authentication and password reset emails. Additionally, Namecheap said it contacted its upstream provider.
"At the same time, we are also investigating the issue from our side," Namecheap wrote in the status update.
Namecheap told TechTarget Editorial it has no additional information to share at this time.
Twilio highlighted the importance of deploying two-factor authentication, IP access management and using domain-based messaging as ways to increase security and awareness around phishing emails.
Arielle Waldman is a Boston-based reporter covering enterprise security news.