New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Notification of potential DigitalOcean account email address exposure
jcolideles
Member
in News
Just got this email from DO:
Hi there, On August 8th, 2022, DigitalOcean discovered that our Mailchimp account had been compromised as part of a wider Mailchimp Security Incident. As a result, a number of DigitalOcean customer email addresses may have been viewed by an unauthorized individual. Impact to you No customer information other than email address was impacted; however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account. Please review our documentation on two-factor authentication for more information. Actions we have taken At DigitalOcean, we take the protection of customer data very seriously, and we sincerely apologize that your email address may have been impacted by this incident. We have migrated our email services to another provider and are completing thorough security reviews to confirm our vendors’ security posture. For more details on this incident, please read through our latest blog post. We are committed to holding ourselves accountable to our customers and prioritizing protecting your account. We welcome the opportunity to talk through any questions or concerns you may have - just reply to this email. Sincerely, DigitalOcean Security
Comments
This is the worst security disclosure I've ever read: https://mailchimp.com/august-2022-security-incident/
If after three days one of your customers has sent out a better disclosure than you, and you still haven't acknowledged any potential issue on your side besides apologizing to crypto bros for an appearance of being targeted, sounds like DO is doing right to get the fuck out.
I don’t get it. So is this DO’s fault or Mailchimp’s fault? Reading the mail from DO seems like Mailchimp had some kind of issue, and got their account compromising, but reading the blog post from MC seems like the clients (crypto companies? do?) somehow got their credentials stolen.
Yeah that's the frustrating part. We're a few days past a security advisory that seemingly made a point to not clearly make a point, and now a big customer is admitting to noping out because their account got compromised.
Really bad look for MC.
They're getting good at wearing it.
This may or may not be related, but I created and used a burner card for DO a few weeks ago and in the last week I've been notified that the card was attempted to be used elsewhere. I have not used the card anywhere else, it was only ever created for digitalocean.
Although this:
Common sense would suggest you should do the security reviews prior to giving the data to someone else, not after.
Looks like there was a Twilio breach last week too: https://www.twilio.com/blog/august-2022-social-engineering-attack
cloudflare too. they don't use totp anymore, full yubikeys
https://blog.cloudflare.com/2022-07-sms-phishing-attacks/
I'm normally pretty supportive of Cloudflare, and their blog posts around security/DDoS incidents are usually pretty good reads.
But this blog post says;
And then goes on to show how employees were contacted via text message, see;
I fail to see how "most organizations would be likely to be breached." This seems like a pretty obvious phishing attempt to me. Not really all that sophisticated of an attack either.
Though, with enough prospects, one falling for it might be enough? If so, probably could happen at most places.
That's fair. You can't forget about sales teams, they're a pretty normal department in most companies.
People still use MailChimp? Overpriced and bloated imo...
I would pursue every other avenue in the meantime. Computer virus intercepting input, compromised account with the card generator (like privacy.com or similar I'm guessing). DO doesn't store cards themselves, they're stored with stripe.
You'd be surprised how often stuff like that succeeds. Anti-phishing is a major headache in organizations.
The senior sysadmin doesn't fall for this, but the receiving clerk or admin assistant might.
The 1,900 phone numbers revealed as a result of Twilio breach - users of Signal- is more interesting news.
https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/
Maybe an illiterate one, I know very few people who would fall for phishing over here and they are NOT in IT. My 78 yo father is an example, but even he knows his vulnerabilities and opted out of online management of his money, he goes at the bank, physically...
You married, my friend? Or got a large family (or In Laws' family) ? During the next family gathering carry a case of wine and you may learn enough to revise your first statement.
edit: You can even get enough material to write your next book on the topic.