The cloud giant known as DigitalOcean says that a recent MailChimp security breach exposed the email addresses of customers. A small portion of customers received unauthorized password resets.

MailChimp’s data breach

DigitalOcean first learned of the breach after MailChimp disabled its account without warning last week. Previously, DigitalOcean leveraged this MailChimp account to send email confirmations, password reset notifications and alerts.

A customer apparently notified the DigitalOcean team about an unauthorized password reset. Upon investigation, security professionals discovered that an unauthorized email address (from the @arxxwalls.com domain) had been added to the MailChimp account.

DigitalOcean breach notification letter
Breach notification letter. Image courtesy of BleepingComputer.com

Further investigation

Further investigation revealed that the threat actor used the stolen customer email addresses to try to gain access to DigitalOcean accounts. However, accounts that used multi-factor authentication were not affected by the password reset attempts, according to BleepingComputer.

DigitalOcean has since switched to a different email service provider. Customers received notification about the breach on August 15th.

MailChimp information

Thus far, MailChimp has said that the breach largely targeted cryptocurrency-related customers. Select MailChimp customers’ accounts were suspended, including those belonging to Cointelegraph, NFT Creators, Ethereum FESP and Messari and Decrypt.

“In response to a recent attack targeting MailChimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further,” said the company.

MailChimp did acknowledge that the breach occurred due to phishing and social engineering tactics. A total of 214 MailChimp accounts may have experienced compromise.

The company is continuing to reinstate accounts and continues to investigate the incident.

More on MailChimp

Reports indicate that MailChimp’s internal support tools were also breached earlier this year, in April. Again, the attack targeted cryptocurrency-related customers. Data stolen via that breach led to a large phishing campaign targeting Trezor cryptocurrency hardware wallet customers.

The arxxwalls domain

Within DigitalOcean’s disclosure, the firm mentioned that an email address associated with the @arxxwalls.com domain was added as a sender to a MailChimp account. The owner of the domain says that the site is not used for illegal activity. However, the site has been abused by operators of fake companies, scam artists and phishers.

Actionable insights

Research shows that the domain arxxwalls.com is being used for Callback phishing attacks. These are phishing attacks that pretend to be antivirus subscriptions.

Callback attack image
Callback phishing attack image. Courtesy of BleepingComputer.com

What are Callback phishing attacks?

Callback phishing attacks are a new “hybrid” phishing scheme. They start with an email pretending to be from a real company. The emails warn recipients that they need to take urgent action to prevent a security incident. Or, they warn recipients about the need to renew an antivirus subscription.

The emails include a phone number. When dialed, the phone number steals information from the victim. It may also prompt the recipient to install remote access malware on their device. Threat actors then use the remote access to breach a victim’s network. In turn, this can lead to data extortion and ransomware threats.

Get more insights into trending attack types here. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.