Digital Ocean Mailing List Breach
Received from DO:
GDPR aweigh?
Hi there,
On August 8th, 2022, DigitalOcean discovered that our Mailchimp account had been compromised as part of a wider Mailchimp Security Incident. As a result, a number of DigitalOcean customer email addresses may have been viewed by an unauthorized individual.
Impact to you
No customer information other than email address was impacted; however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account. Please review our documentation on two-factor authentication for more information.Actions we have taken
At DigitalOcean, we take the protection of customer data very seriously, and we sincerely apologize that your email address may have been impacted by this incident. We have migrated our email services to another provider and are completing thorough security reviews to confirm our vendors’ security posture.For more details on this incident, please read through our latest blog post. We are committed to holding ourselves accountable to our customers and prioritizing protecting your account. We welcome the opportunity to talk through any questions or concerns you may have - just reply to this email.
Sincerely,
DigitalOcean Security
Comments
Haven't heard of the cited Mailchimp incident. That would be huge.
Yes, from the DO post:
Looks like Mailchimp Intuit lost a customer. Maybe more down the line
blog | exploring visually |
aka Mailchump
We migrated to another provider, then we will do security reviews on that another provider.
Fucking 10/10, would leak again.
Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png
“No customer information other than email address was impacted”
Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people
Michael from DragonWebHost & OnePoundEmail
Really?
So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO
Michael from DragonWebHost & OnePoundEmail
Or to spin it another way - they send emails, the only information they have is your email address. So, the other way of saying "nothing was leaked apart from your email address" is "every piece of personal data we were entrusted to look after was leaked".
As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.
Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss
───────────────────────────────────
🌐 Blesta.club - Blesta Modules, Plugins, Gateways and more
💬 Join our community today and start your journey!
───────────────────────────────────
this
So, they entrusted email to another entity. The said entity has had a leak. They blame that entity and moves to a new entity.
I am sure the new entity will have a leak at one point. Then I guess they will move to another.
Bottom line, they hate taking on responsibilities, yeah?
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
That's the spirit of the times.
It'll get worse.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.
blog | exploring visually |
Here - enjoy the highlights - the LES mod team showdown:
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Two mods I can guess, who are the other two? Stealth Mods?
blog | exploring visually |
Well, they said they're from the LES mod/admin team...
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Unless @ehab joined the Mod team recently, the 'heavy roller' int he video poses a conundrum. ( to use a term from cricket)
blog | exploring visually |
I'm secretly paid to be the ref - these two are often ready to get the gloves 🤣
───────────────────────────────────
🌐 Blesta.club - Blesta Modules, Plugins, Gateways and more
💬 Join our community today and start your journey!
───────────────────────────────────
Mailchimp is trying to cover it up. Their post never actually says they were breached but they haven't denied DO's statement that they were.
And now.. presenting..
Breach at Signal!
1900 numbers exposed.
https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/
Bring on the Wrestlers
blog | exploring visually |
I've cancelled my account and asked for my data to be removed following this - I'm more annoying about the bs than the event
───────────────────────────────────
🌐 Blesta.club - Blesta Modules, Plugins, Gateways and more
💬 Join our community today and start your journey!
───────────────────────────────────
Which account?
Mailchimp
Digital Ocean
Signal
or
Twillio?
They are all peas in a pod.
p.s: LES can also be annoying with BS at times. So that also should be added to the above list.
blog | exploring visually |
Surprised they used an external emailer
It's a pretty big savings actually. The number of IPs needed to run their mailings, and the amount of effort you should put into the infrastructure and IP reputation, it would be more expensive to do it in house at their size. When I left there was still only one person who cared about the root domain's SPF record, mail was just totally delegated.
All the marketing, the sales, the transactional, it's just obscene the number of emails leaving that platform. Though MailChimp was never explicitly chosen, just rode out the change from Mandrill merging back in.
Do everything as though everyone you’ll ever know is watching.
Easier sale for customers/investors too ..
I suppose?
“We use best in class or industry leading SaaS tools for our operations “
Versus
“We use in house tools based on advanced, propereitory (or open source) protocol s”
blog | exploring visually |
There is something to be said for generating revenue with minimal tech debt.
Do everything as though everyone you’ll ever know is watching.
Old and not entirely spot on, but you know the saying:
"No one got fired for buying IBM."
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
If there was a MailChimp-wide security incident, I don't see how DO could be to blame here. I don't want to be all "nobody gets fired for buying IBM" here, but using MailChimp for communications isn't unusual.
I'd personally like a step before it. If there was a MailChimp security incident, I'd like to see an actual disclosure. I get that such can't always happen right away but typically when it can't happen, because companies are working with law enforcement, they keep their mouths shut about it entirely. Just saying there was an incident and then not saying anything else for this much time, that's just painful.
At the very least I feel like if you're going that far and can't go further, you oughta say something to that effect like "We cannot say anything more at this time, and we believe that you will consider the reason for that to be both understandable and respectable as we are able to speak more on the matter." Just off the top of my head.
Do everything as though everyone you’ll ever know is watching.