Mailchimp breach sheds new light on digital identity and supply chain risk

A series of malicious social engineering attacks against Mailchimp and at least one of its customers, DigitalOcean, highlights an ongoing trend in the information security space of threat actors targeting vulnerable organizations by abusing the digital identity supply chain.

DigitalOcean left Mailchimp after the email service provider’s internal tools were compromised by an attacker and unauthorized hackers reset the passwords of a small number of DigitalOcean customers.

Rogue actors used sophisticated phishing and social engineering techniques to target users linked to Mailchimp’s cryptography, a spokesperson said via email. Based on its investigation to date, Mailchimp has identified 214 accounts affected by the incident, the spokesperson added.

“With great caution, when we detect suspicious activity in our users’ accounts, we take proactive steps to temporarily suspend all account access,” the spokesperson said.

Mailchimp has notified all affected account owners and said it is working diligently to restore the accounts.

But critics push back against Mailchimp’s response. Many crypto firms claim they were taken offline without prior warning and said the company was slow to respond to their questions.

The attacks highlight two important trends in the information security space in 2022: an increase in identity attacks and an increase in digital supply chain attacks, according to Peter Firstbrook, vice president of the research at Gartner.

“Identity theft is increasing dramatically to infiltrate systems,” Firstbrook said. “It is much easier to steal identities, through phishing and other social engineering techniques, than to find and exploit vulnerabilities in software.”

Attackers often use email to create new accounts, confirm the identity of potential victims, and possibly change their passwords.

“Email traffic control allows attackers to reset account information without notice to the victim,” Firstbrook said.

Digital supply chain attacks are on the rise due to the influence gained by attackers.

“Successfully penetrating a supply chain partner gives attackers access to multiple victims at once,” Firstbrook said. “Furthermore, it is often beyond the control of the victim to detect or stop the attack because the telemetry needed [is] only available for the digital partner.

Firstbrook points to recent phishing attacks against Microsoft using adversary-in-the-middle techniques and recent business email compromise attacks targeting Workday.

During the Klaviyo attack, an employee’s login credentials were compromised and a malicious actor was able to access some of the company’s internal support tools, according to an Aug. 3 blog post from CEO Andrew Bialecki.

The threat actor used internal support tools to primarily search for crypto-related accounts and viewed list and segment information on 44 Klaviyo accounts, according to the post. The threat actor uploaded list or segment information for 38 of these accounts. Two of the company’s internal lists for product and marketing updates were also uploaded.

The company is concerned about potential phishing or smishing attacks and has warned customers about potential requests for password resets, payment information, or emails from unusual domains.

According to Fred Plan, principal analyst at Mandiant, cryptocurrencies are targeted by a range of financially motivated malicious actors due to their potential profitability and pose little risk to cybercriminals.

“Since cryptocurrency services and platforms are less likely to have a well-developed security posture than more established financial institutions, they are also likely easier to target,” Plan said via email. .

The impact of the Mailchimp breach on DigitalOcean underscores the importance of implementing security best practices, Plan said, including two-factor authentication and zero trust. Using these practices can help reduce the impact of security incidents when they occur.