New MailChimp Breach Exposed DigitalOcean Customer Email Addresses
DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers, with a small number receiving unauthorized password resets.
The company says they first learned of the breach after MailChimp disabled their account without warning on August 8th. DigitalOcean used this MailChimp account to send email confirmations, password reset notifications, and alerts to customers.
DigitalOcean says that on the same day, a customer notified their cybersecurity team that their password was reset without authorization.
After an investigation, they found an unauthorized email address from the @arxxwalls.com domain was added to their MailChimp account and used in emails starting on August 7th.
Believing that their MailChimp account was breached, DigitalOcean says they reached out to the company but didn’t hear back until August 10th, when they learned that a hacker had gained access to MailChimp’s internal support tools.
“We were formally notified on August 10th by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling,” explains a security advisory from DigitalOcean.
Further investigations showed that the threat actor used the stolen customer email addresses to try and gain access to DigitalOcean accounts by performing password resets. These password reset requests originated from the IP address x.213.155.164.
However, those accounts using multi-factor authentication were protected from the password reset attempts.
DigitalOcean has since switched to another email service provider. The company notified affected customers about the data breach yesterday.
BleepingComputer contacted DigitalOcean last night with further questions about the breach but did not receive a response.
MailChimp hacked again
As for MailChimp, a security advisory posted on August 12th does not provide much information other than saying it targeted crypto-related customers.
“In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further,” reads the short advisory from MailChimp.
“We took this action to protect our users’ data, and then acted quickly to notify all primary contacts of impacted accounts and implement an additional set of enhanced security measures.
However, in response to questions about the breach, MailChimp told BleepingComputer that they were breached through phishing and social engineering tactics that allowed the hackers to access 214 MailChimp accounts.
“We recently experienced a security incident in which unauthorized actors targeted Mailchimp’s crypto-related users by employing sophisticated phishing and social engineering tactics. Based on our investigation to date, it appears that 214 Mailchimp accounts were affected by the incident.” – MailChimp.
MailChimp told us they are working to reinstate accounts and investigate the incident.
MailChimp’s internal support tools were also breached in April 2022 to target cryptocurrency-related customers. The audience data stolen during that breach led to a massive phishing campaign targeting Trezor hardware wallet customers.
The arxxwalls domain
As part of DigitalOcean’s disclosure, they mention that an email address from the @arxxwalls.com domain was added as a sender to its MailChimp account.
While the owner of the arxxwalls.com domain states that it is not used for illegal activity, it has been abused by numerous scams, operators of fake companies, and phishing attacks.
Furthermore, research by BleepingComputer shows that the domain is being used for callback phishing attacks that pretend to be antivirus subscriptions.
Callback attacks are a new type of hybrid phishing seeing enormous growth that starts with an email pretending to be from a legitimate company. These emails warn recipients that they must take action to prevent a cybersecurity incident or the renewal of a grossly overpriced support/antivirus subscription.
Included in these emails is a phone number that, when called, will be used to steal information from the victim or to prompt the recipient to install remote access software on their device.
The threat actors use this remote access to breach the network of the victim, commonly used to conduct data extortion or ransomware attacks.