Cyber Incident Victim: DigitalOcean
Date:
Aug 2022
Location:
United States of America
Summary
DigitalOcean experienced a security incident where customer email addresses were exposed due to a breach at MailChimp, their email service provider. An attacker compromised MailChimp's internal tools, added an unauthorized email address (@arxxwalls.com) to the account, and initiated password reset attempts targeting exposed emails; accounts with multi-factor authentication remained protected. The company transitioned to a new email provider and notified affected customers, while MailChimp attributed the broader breach to phishing and social engineering affecting 214 accounts, primarily targeting cryptocurrency-related users. The malicious domain involved has been linked to phishing scams, including callback attacks impersonating legitimate services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
DigitalOcean became aware of a security incident involving their MailChimp account on August 8, 2022, when MailChimp abruptly disabled the account without prior notification. This account was integral to DigitalOcean’s customer communications, handling email confirmations, password reset notifications, and system alerts. On the same day, DigitalOcean’s cybersecurity team received a customer report regarding an unauthorized password reset attempt. Subsequent investigation revealed that an attacker had added an unauthorized email address from the @arxxwalls.com domain to DigitalOcean’s MailChimp account on August 7, enabling the threat actor to send emails through the platform. DigitalOcean attempted to contact MailChimp immediately but received no response until August 10, when MailChimp confirmed unauthorized access to its internal support tools had compromised multiple accounts, including DigitalOcean’s.
The threat actor leveraged stolen customer email addresses to initiate password reset requests targeting DigitalOcean accounts, with attack traffic originating from IP address x.213.155.164. Accounts protected by multi-factor authentication (MFA) successfully thwarted these unauthorized access attempts. DigitalOcean terminated its relationship with MailChimp, migrating to an alternative email service provider, and formally notified affected customers of the breach. MailChimp attributed the broader incident to a phishing and social engineering campaign targeting 214 customer accounts, primarily cryptocurrency-related entities like Edge Wallet, Cointelegraph, and Messari. The @arxxwalls.com domain linked to the DigitalOcean compromise had a documented history of abuse in scams, phishing operations, and callback phishing attacks—a hybrid tactic combining fraudulent emails with phone-based social engineering to deploy remote access tools or extortion schemes. This marked the second time in 2022 that MailChimp’s systems were breached to target cryptocurrency customers, following a similar April incident that facilitated phishing campaigns against Trezor hardware wallet users.