Digital Ocean Mailing List Breach
vyas
OGContent Writer
Received from DO:
GDPR aweigh?
Hi there,
On August 8th, 2022, DigitalOcean discovered that our Mailchimp account had been compromised as part of a wider Mailchimp Security Incident. As a result, a number of DigitalOcean customer email addresses may have been viewed by an unauthorized individual.
Impact to you
No customer information other than email address was impacted; however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account. Please review our documentation on two-factor authentication for more information.Actions we have taken
At DigitalOcean, we take the protection of customer data very seriously, and we sincerely apologize that your email address may have been impacted by this incident. We have migrated our email services to another provider and are completing thorough security reviews to confirm our vendors’ security posture.For more details on this incident, please read through our latest blog post. We are committed to holding ourselves accountable to our customers and prioritizing protecting your account. We welcome the opportunity to talk through any questions or concerns you may have - just reply to this email.
Sincerely,
DigitalOcean Security
VPS reviews | | MicroLXC | English is my nth language.
Comments
Haven't heard of the cited Mailchimp incident. That would be huge.
Yes, from the DO post:
Looks like Mailchimp Intuit lost a customer. Maybe more down the line
VPS reviews | | MicroLXC | English is my nth language.
aka Mailchump
We migrated to another provider, then we will do security reviews on that another provider.
Fucking 10/10, would leak again.
“No customer information other than email address was impacted”
Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people
Michael
Really?
So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?
BikeGremlin I/O
Mostly WordPress ™
Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO
Michael
Or to spin it another way - they send emails, the only information they have is your email address. So, the other way of saying "nothing was leaked apart from your email address" is "every piece of personal data we were entrusted to look after was leaked".
As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).
BikeGremlin I/O
Mostly WordPress ™
I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.
Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss
I sometimes worry that I'm so correct in all I say, that there might be something wrong with me
this
So, they entrusted email to another entity. The said entity has had a leak. They blame that entity and moves to a new entity.
I am sure the new entity will have a leak at one point. Then I guess they will move to another.
Bottom line, they hate taking on responsibilities, yeah?
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
That's the spirit of the times.
It'll get worse.
BikeGremlin I/O
Mostly WordPress ™
I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.
VPS reviews | | MicroLXC | English is my nth language.
Here - enjoy the highlights - the LES mod team showdown:
BikeGremlin I/O
Mostly WordPress ™
Two mods I can guess, who are the other two? Stealth Mods?
VPS reviews | | MicroLXC | English is my nth language.
Well, they said they're from the LES mod/admin team...
BikeGremlin I/O
Mostly WordPress ™
Unless @ehab joined the Mod team recently, the 'heavy roller' int he video poses a conundrum. ( to use a term from cricket)
VPS reviews | | MicroLXC | English is my nth language.
I'm secretly paid to be the ref - these two are often ready to get the gloves 🤣
I sometimes worry that I'm so correct in all I say, that there might be something wrong with me
Mailchimp is trying to cover it up. Their post never actually says they were breached but they haven't denied DO's statement that they were.
And now.. presenting..
Breach at Signal!
1900 numbers exposed.
https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/
Bring on the Wrestlers
VPS reviews | | MicroLXC | English is my nth language.
I've cancelled my account and asked for my data to be removed following this - I'm more annoying about the bs than the event
I sometimes worry that I'm so correct in all I say, that there might be something wrong with me
Which account?
Mailchimp
Digital Ocean
Signal
or
Twillio?
They are all peas in a pod.
p.s: LES can also be annoying with BS at times. So that also should be added to the above list.
VPS reviews | | MicroLXC | English is my nth language.
Surprised they used an external emailer
It's a pretty big savings actually. The number of IPs needed to run their mailings, and the amount of effort you should put into the infrastructure and IP reputation, it would be more expensive to do it in house at their size. When I left there was still only one person who cared about the root domain's SPF record, mail was just totally delegated.
All the marketing, the sales, the transactional, it's just obscene the number of emails leaving that platform. Though MailChimp was never explicitly chosen, just rode out the change from Mandrill merging back in.
Hate radiates from the source. If you look around and see it everywhere, it's coming from you.
Easier sale for customers/investors too ..
I suppose?
“We use best in class or industry leading SaaS tools for our operations “
Versus
“We use in house tools based on advanced, propereitory (or open source) protocol s”
VPS reviews | | MicroLXC | English is my nth language.
There is something to be said for generating revenue with minimal tech debt.
Hate radiates from the source. If you look around and see it everywhere, it's coming from you.
Old and not entirely spot on, but you know the saying:
"No one got fired for buying IBM."
BikeGremlin I/O
Mostly WordPress ™
If there was a MailChimp-wide security incident, I don't see how DO could be to blame here. I don't want to be all "nobody gets fired for buying IBM" here, but using MailChimp for communications isn't unusual.
I'd personally like a step before it. If there was a MailChimp security incident, I'd like to see an actual disclosure. I get that such can't always happen right away but typically when it can't happen, because companies are working with law enforcement, they keep their mouths shut about it entirely. Just saying there was an incident and then not saying anything else for this much time, that's just painful.
At the very least I feel like if you're going that far and can't go further, you oughta say something to that effect like "We cannot say anything more at this time, and we believe that you will consider the reason for that to be both understandable and respectable as we are able to speak more on the matter." Just off the top of my head.
Hate radiates from the source. If you look around and see it everywhere, it's coming from you.