DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers.

The company says they first learned of the breach after MailChimp disabled their account without warning on August 8th. DigitalOcean used this MailChimp account to send email confirmations, password reset notifications, and alerts to customers.

At 3:30pm ET on August 8th, 2022 transactional emails from our platform, delivered through Mailchimp, stopped reaching our customers’ inboxes. This was discovered by an internal test run by engineering teams to monitor the health of our signup process. We quickly discovered our Mailchimp account had been suspended, with no access, and no other information being provided by Mailchimp. For DigitalOcean, and our customers, this meant email confirmations, password resets, email-based alerts for product health, and dozens of other transactional emails were not reaching their destination.

The blog post reads

After an investigation, they found an unauthorized email address from the @arxxwalls.com domain was added to their MailChimp account and used in emails starting on August 7th.

Believing that their MailChimp account was breached, DigitalOcean says they reached out to the company but didn’t hear back until August 10th, when they learned that a hacker had gained access to MailChimp’s internal support tools.

“We were formally notified on August 10th by Mailchimp of the unauthorized access to our and other accounts by what we understand to be an attacker who had compromised Mailchimp internal tooling,” explains a security advisory from DigitalOcean.

READ
Massive Data Breach Reported for Hot Topic, Box Lunch, and Torrid Customers

Further investigations showed that the threat actor used the stolen customer email addresses to try and gain access to DigitalOcean accounts by performing password resets. These password reset requests originated from the IP address x.213.155.164.

However, those accounts using multi-factor authentication were protected from password reset attempts.

DigitalOcean has since switched to another email service provider. The company notified affected customers about the data breach yesterday.