Topic: Mailchimp was hacked again, exposing DigitalOcean customer's email (Read 237 times)

If by user you mean end-user, like you and me, then having 2FA on our personal email has nothing to do with this incident really. Where 2FA does provide some further security, whilst not being invulnerable, is if was added to Mailchip’s corporate customer’s accounts.

Say you and me were amongst DigitalOcean’s customers. Our contact information would be likely stored somewhere at DigitalOcean, and again at Mailchimp in order to carry out DigitalOcean’s email marketing campaigns or such.

Now if you and me have 2FA on our email account won’t manage to contribute anything towards our data being leaked from Mailchimp, nor receiving potential phishing emails. What does make it more difficult is for hackers to access DigitalOcean’s account on Mailchimp, were 2FA to be set by DigitalOcean on their Mailchimp account.

… Nevertheless … if we are talking about some hacker that managed to obtain access to a Mailchimp’s employee’s account, as seems to be the case, we may presume that the employee’s account could have privilages to access data for Mailchimp’s corporate accounts (i.e. DigitalOcean), with disregard to them (DigitalOcean) having 2FA on or off on their account. Afterall, support tends to need to look into customer’s data and configuration, and it would seem weird that they were impeded because of a customer 2FA setting. This is my speculation, but seemingly reasonable.

What could have helped is for employee accounts themselves to have 2FA access to the Mailchimp’s overall system, and to be required to connect through a VPN from a fixed set of firewall approved IPs (perhaps with 2FA on the VPN login itself).

Yes, they can't log in without the 2FA. But this issue isn't breached via the login system, and surely a company like DigitalOcean have known better about it.


In another hand, the compromised DigitalOcean users' email who uses 2FA, got their account secured from takeover attempts.

The authentication feature can be activated by several methods and each has its drawbacks, and especially users who are not very protective of their devices will only use the most flexible methods such as 2fa via phone numbers which actually places their risk even higher. There are at least 6 ways how 2fa can be bypassed according to this article

I want to ask a security question, if a Mailchimp user get 2FA activated wouldn't the hackers need the code to get through?... I think email users should activate 2fa for their accounts to add an extra security layer.

Quite thankfully, I am not one of them: I stopped using Mailchimp a long time ago, but for a different reason (practically zero conversion rate).

Looks like we are in an era where privacy is endangered more than anything else particularly this digital era lol. And seems like data privacy protection should be prioritized first together the full control of someone's money.

There should some cryptographic service/ways to handles this kind of problems especially privacy protection.

What beats me is how long it takes to get corporate client names around, besides a sparse one here or there that crops-up after a few days. I mean Mailchimp’s hack/leak was essentially sized-up around the 12/08/2022 at the latest, as per this released information. Today is the 19th, and we’re yet to see corporate names pouring-in, besides the known few.

Presumably, we’re talking about 214 affected corporations on this occasion, and although it will down to these companies to communicate the events to their in turn affected customers/leads, being prompt is essential to minimize potential phishing damages. One would have expected that, by now, plenty more corporate names would be known, had they moved to action to communicate with those affected.

AFAIK some third party ask the real or personal email of the owner, not the alias or business email. This is mean they have no choice either follow the exchanges or accept the risk, if the exchanges track the email with the real name, then they might freeze the clients money.

Though I can't search about an accusation related to this case for back up my words.

It is easy for them to say sorry after any compromise but users bear personal data loss forever.

I don't use same email for different important platforms. If a platform is compromised, only that email is exposed and it is not connected to other personal information.

On another important platform for me to use, I use another email to register account there.

I never save personal information, password, self fie photos ie. in any email or cloud. If I save them digitally, it will be saved on my device.

That's why it's best to use email aliases when signing up/giving an email to any services you used especially when you are buying any crypto related products.

That way, you have more control over the emails being sent to you as you have the option to disable that specific alias, and obfuscate your real email in case hack like this happened.

There's this quote by Robert S. Mueller: “There are only two types of companies: Those that have been hacked and those that will be hacked.”

While some platforms are far more secure than others hence will take far longer times for a breach to occur, yea, the smaller fish will be breached a lot sooner — like this one.

While it's impossible to not have personal data in today's world, it's your job to make sure you have as much less personal information over the web. Though fortunately in this case it seems like they're confident enough that it's just emails.

Unfortunately, the customer is the only one affected, so the company’s reputation will increase in the future if the management of economic affairs is well done, because people forget quickly, but I am surprised that the work data is considered so easy, and no person is compensated for damage, and therefore if internal parties hack, no one will ask them.

Also, the reliance of services on third-party applications in providing some of their services wastes accounting efforts and makes this data vulnerable to reading by several other third parties (may be governmental or otherwise).

In general, you should avoid all messages received in your e-mail, except from trusted parties.

Here we go again, with yet another mailmarketing platform to be breached in recent times. There is yet no apparent reference to the amount of crypto related companies affected, nor the extend of the breached data. DigitalOcean claims that, in their case, it was "only" the email, but it’s never just that really. At the bare minimum, the fact that the breached emails belong are customers/prospects for a certain company and/or industry is a big added value for phishing purposes.

Prior to Mailchimp’s statement, those crypto companies that were finding their account inaccessible thought it was an arbitrary action on Mailchimp’s behalf against their crypto clients, and so the media played along with this idea. Now they are selling it as a preventive action (probably more on the post event than on the pre event side of things).

Anecdotally (or not), their Acceptable Use Policy went from (2018,when crypto clause was introduced):

See: https://web.archive.org/web/20180329173005/https://mailchimp.com/legal/acceptable_use/


To (as seen on the 15/08/2022):
https://web.archive.org/web/20220815080850/https://mailchimp.com/legal/acceptable_use/


Through to their current (set on the 16/08/2022: https://web.archive.org/web/20220816085119/https://mailchimp.com/legal/acceptable_use):

Edit:
Allegedly, 214 Mailchimp accounts (companies) afected
See: https://www.techtarget.com/searchsecurity/news/252523911/Mailchimp-suffers-second-breach-in-4-months

Mailchimp again was hacked, exposing DigitalOcean customer's email address,


https://mailchimp.com/august-2022-security-incident/

And as per DigitalOcean,


https://www.digitalocean.com/blog/digitalocean-response-to-mailchimp-security-incident

---

This is not the first time that email servicing Mailchimp have been breached, April 2022, they have been compromised as well,



https://twitter.com/Trezor/status/1510558771944333312

And so the attack on mailing services have been increasing this last couple of months and the hackers getting most of crypto related emails. And this could be another 1 -> end customer.

DigitalOcean for example have notified their users that there could be phishing attacks in the coming weeks as a result of this.