from Hacker News

Impact to DigitalOcean customers resulting from Mailchimp security incident

by smitop on 8/15/22, 10:40 PM with 83 comments

  • by nerdawson on 8/15/22, 11:50 PM

    It took two days for a company the size of DO to get an actionable response. What hope do the rest of us have?

    Interesting write up and 2FA by default sounds like a sensible move.

    If you’re the type of user to have a DO account, you should be perfectly capable of using 2FA.

  • by shawncampbell on 8/15/22, 10:46 PM

    > on August 8th, our Security Operations team was made aware of a customer who claimed their password had been reset, without their initiation.

    > One of the first discoveries was a non-DigitalOcean email address that appeared on a regular email from Mailchimp on August 7th.

    > Soon after we discovered an issue with our Mailchimp account on August 8th, we initiated contact with Mailchimp, both via traditional support channels and other escalation methods. On August 10th, we had our first actionable response

  • by xtracto on 8/15/22, 11:39 PM

    Aaah, so THAT's why their email verification was not working for several hours [1] [2]!

    [1] https://news.ycombinator.com/item?id=32398773

    [2] https://news.ycombinator.com/item?id=32392935

  • by yawnxyz on 8/16/22, 1:02 AM

    I didn't even know Mailchimp supported transactional emails. I thought it was for newsletters and stuff.

    It's kind of funny that Mailchimp treats a company as large as Digital Ocean as if they're a one person newsletter.

  • by smashah on 8/16/22, 1:16 AM

    As an indie developer, these increasingly frequent security disclosures (although yes good) are getting very frustrating.

    I want to say this is due to the threat landscape expanding by the day but some part of me suspects that when a service provider becomes 'comfortable' (mailchimp, Heroku, Twilio, etc.) they becomes complacent/cut costs in the security department.

    The other day I got a clear phishing SMS from REVOLUT! Crazy!

  • by graton on 8/16/22, 5:25 AM

    I do wish DigitalOcean would support WebAuthn/FIDO2. Meaning I could use my Yubikey and other hardware tokens I have.

    Instead they only supported TOTP (Google Authenticator is one implementation) second factor which is vulnerable to phishing attacks. But still better than SMS or nothing at all.

  • by 44gg44gg on 8/16/22, 12:54 AM

    What is a good SMTP service these days in 2022? It beyond frustrating that every provider is now blocking SMTP.

  • by shantnutiwari on 8/16/22, 10:54 AM

    Ah Mailchimp. The king of terrible customer service.

    I was their paid client some years ago, never have I treated as badly (though Convertkit came a close 2nd). People keep recommending Mailchimp, when they are one of the worst companies for support.

    And funny to see big million dollar corps are treated the same way us plebs are-- at least Mailchimp dont discriminate!

  • by nulbyte on 8/16/22, 1:10 AM

    > ... had successfully changed the password, but in the case below, failed to access the account due to the second-factor authentication...

    Why wasn't two factor authentication required to reset the password? This is Security 101: Greater risks need greater authentication.

  • by shafyy on 8/16/22, 5:18 AM

    > We have migrated our email services to another provider and are completing thorough security reviews to confirm our vendors’ security posture.

    Must suck for Mailchimp to lose a big account, but I guess that's not suprising. Mailchimp is going down by a thousand cuts - they could have stayed a great company if they wouldn't have focused on growth so much (I mean they now offer online ship builder and appointment scheduler products).

  • by helloworld11 on 8/16/22, 12:09 AM

    To anyone who reads this, works in Mailchimp and happens to be in a leadership position at the company, sincerely, it would be nice to see you go bankrupt and fuck right off the face of the landscape. You don't even have the sheer size pretexts of Google, for example, to justify such terrible responsiveness, shitty customer service and generally awful account suspension and service practices. Is it simple laziness or a sharper sort of contempt for your own customers? Disgusting tendency among too many tech companies that reach any moderate size.

  • by bradgranath on 8/16/22, 1:50 AM

    Very frustrating that DO was using MailChimp in the first place.

    Also some nonsense in there about Crypto scammers?

  • by dynamohk on 8/16/22, 3:49 AM

    You would think Digital Ocean being a cloud hosting provider they could do email themselves, secure customer data and not provide it to third parties. Great write up though.