Mailchimp logo

DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers, with a small number receiving unauthorized password resets.

The company says they first learned of the breach after MailChimp disabled their account without warning on August 8th. DigitalOcean used this MailChimp account to send email confirmations, password reset notifications, and alerts to customers.

DigitalOcean says that on the same day, a customer notified their cybersecurity team that their password was reset without authorization.

After an investigation, they found an unauthorized email address from the @arxxwalls.com domain was added to their MailChimp account and used in emails starting on August 7th.

Believing that their MailChimp account was breached, DigitalOcean says they reached out to the company but didn't hear back until August 10th, when they learned that a hacker had gained access to MailChimp's internal support tools.

"We were formally notified on August 10th by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling," explains a security advisory from DigitalOcean.

Further investigations showed that the threat actor used the stolen customer email addresses to try and gain access to DigitalOcean accounts by performing password resets. These password reset requests originated from the IP address x.213.155.164.

However, those accounts using multi-factor authentication were protected from the password reset attempts.

DigitalOcean has since switched to another email service provider. The company notified affected customers about the data breach yesterday.

DigitalOcean data breach notification
DigitalOcean data breach notification
Source: BleepingComputer

BleepingComputer contacted DigitalOcean last night with further questions about the breach but did not receive a response.

MailChimp hacked again

As for MailChimp, a security advisory posted on August 12th does not provide much information other than saying it targeted crypto-related customers.

"In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further," reads the  short advisory from MailChimp.

"We took this action to protect our users’ data, and then acted quickly to notify all primary contacts of impacted accounts and implement an additional set of enhanced security measures.

However, in response to questions about the breach, MailChimp told BleepingComputer that they were breached through phishing and social engineering tactics that allowed the hackers to access 214 MailChimp accounts.

"We recently experienced a security incident in which unauthorized actors targeted Mailchimp’s crypto-related users by employing sophisticated phishing and social engineering tactics. Based on our investigation to date, it appears that 214 Mailchimp accounts were affected by the incident." - MailChimp.

MailChimp told us they are working to reinstate accounts and investigate the incident.

Other MailChimp customers known to have been suspended without notification are Edge Wallet, Cointelegraph, NFT creatorsEthereum FESP, and Messari and Decrypt.

MailChimp's internal support tools were also breached in April 2022 to target cryptocurrency-related customers. The audience data stolen during that breach led to a massive phishing campaign targeting Trezor hardware wallet customers.

After the Cisco disclosed how hackers breached their network in what should be a model of transparency, MailChimp's scant advisory is deafening.

The arxxwalls domain

As part of DigitalOcean's disclosure, they mention that an email address from the @arxxwalls.com domain was added as a sender to its MailChimp account.

While the owner of the arxxwalls.com domain states that it is not used for illegal activity, it has been abused by numerous scams, operators of fake companies, and phishing attacks.

Notice shown on the arxxwalls.com site
Notice shown on the arxxwalls.com site
Source: BleepingComputer

Furthermore, research by BleepingComputer shows that the domain is being used for callback phishing attacks that pretend to be antivirus subscriptions.

AVG callback phishing attack using an arxxwalls.com domain
AVG callback phishing attack using an arxxwalls.com domain
Source: BleepingComputer

Callback attacks are a new type of hybrid phishing seeing enormous growth that starts with an email pretending to be from a legitimate company. These emails warn recipients that they must take action to prevent a cybersecurity incident or the renewal of a grossly overpriced support/antivirus subscription.

Included in these emails is a phone number that, when called, will be used to steal information from the victim or to prompt the recipient to install remote access software on their device.

The threat actors use this remote access to breach the network of the victim, commonly used to conduct data extortion or ransomware attacks.

Related Articles:

Acer confirms Philippines employee data leaked on hacking forum

Okta: October data breach affects all customer support system users

Pharmaceutical giant Cencora says data was stolen in a cyberattack

Johnson Controls says ransomware attack cost $27 million, data stolen

How SMBs can lower their risk of cyberattacks and data breaches