Digital Ocean Mailing List Breach

vyasvyas OGSenpai
edited August 2022 in Industry News

Received from DO:

GDPR aweigh?

Hi there,

On August 8th, 2022, DigitalOcean discovered that our Mailchimp account had been compromised as part of a wider Mailchimp Security Incident. As a result, a number of DigitalOcean customer email addresses may have been viewed by an unauthorized individual.

Impact to you
No customer information other than email address was impacted; however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account. Please review our documentation on two-factor authentication for more information.

Actions we have taken
At DigitalOcean, we take the protection of customer data very seriously, and we sincerely apologize that your email address may have been impacted by this incident. We have migrated our email services to another provider and are completing thorough security reviews to confirm our vendors’ security posture.

For more details on this incident, please read through our latest blog post. We are committed to holding ourselves accountable to our customers and prioritizing protecting your account. We welcome the opportunity to talk through any questions or concerns you may have - just reply to this email.
Sincerely,
DigitalOcean Security

Comments

  • Haven't heard of the cited Mailchimp incident. That would be huge.

  • vyasvyas OGSenpai

    @someTom said:
    Haven't heard of the cited Mailchimp incident. That would be huge.

    Yes, from the DO post:

    We have migrated our email services to another provider

    Looks like Mailchimp Intuit lost a customer. Maybe more down the line

  • aka Mailchump

  • JabJab Senpai

    @vyas said: We have migrated our email services to another provider and are completing thorough security reviews to confirm our vendors’ security posture.

    We migrated to another provider, then we will do security reviews on that another provider.
    Fucking 10/10, would leak again.

    Thanked by (2)pikachu hostdare

    Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
    https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png

  • MichaelCeeMichaelCee Hosting ProviderOGServices Provider

    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Thanked by (2)lentro mwt

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • MichaelCeeMichaelCee Hosting ProviderOGServices Provider

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

  • Or to spin it another way - they send emails, the only information they have is your email address. So, the other way of saying "nothing was leaked apart from your email address" is "every piece of personal data we were entrusted to look after was leaked".

    Thanked by (1)MichaelCee
  • bikegremlinbikegremlin ModeratorOGContent Writer

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    Thanked by (3)MichaelCee lentro Erisa

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    ───────────────────────────────────
    🌐 Blesta.club - Blesta Modules, Plugins, Gateways and more
    💬 Join our community today and start your journey!
    ───────────────────────────────────

  • @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    this

    Thanked by (1)MichaelCee
  • So, they entrusted email to another entity. The said entity has had a leak. They blame that entity and moves to a new entity.

    I am sure the new entity will have a leak at one point. Then I guess they will move to another.

    Bottom line, they hate taking on responsibilities, yeah?

    Thanked by (3)MichaelCee Ironia hostdare

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @deank said:
    So, they entrusted email to another entity. The said entity has had a leak. They blame that entity and moves to a new entity.

    I am sure the new entity will have a leak at one point. Then I guess they will move to another.

    Bottom line, they hate taking on responsibilities, yeah?

    That's the spirit of the times.

    It'll get worse.

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • vyasvyas OGSenpai

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    Here - enjoy the highlights - the LES mod team showdown: :)

    Thanked by (2)vyas MichaelCee

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • vyasvyas OGSenpai

    @bikegremlin said:

    @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    Here - enjoy the highlights - the LES mod team showdown: :)

    Two mods I can guess, who are the other two? Stealth Mods?

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @vyas said:

    @bikegremlin said:

    @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    Here - enjoy the highlights - the LES mod team showdown: :)

    Two mods I can guess, who are the other two? Stealth Mods?

    Well, they said they're from the LES mod/admin team...

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • vyasvyas OGSenpai
    edited August 2022

    @bikegremlin said:

    @vyas said:

    @bikegremlin said:

    @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    Here - enjoy the highlights - the LES mod team showdown: :)

    Two mods I can guess, who are the other two? Stealth Mods?

    Well, they said they're from the LES mod/admin team...

    Unless @ehab joined the Mod team recently, the 'heavy roller' int he video poses a conundrum. ( to use a term from cricket)

  • @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    I'm secretly paid to be the ref - these two are often ready to get the gloves 🤣

    ───────────────────────────────────
    🌐 Blesta.club - Blesta Modules, Plugins, Gateways and more
    💬 Join our community today and start your journey!
    ───────────────────────────────────

  • @someTom said:
    Haven't heard of the cited Mailchimp incident. That would be huge.

    Mailchimp is trying to cover it up. Their post never actually says they were breached but they haven't denied DO's statement that they were.

  • vyasvyas OGSenpai

    And now.. presenting..

    Breach at Signal!

    1900 numbers exposed.
    https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/

    Bring on the Wrestlers

    Thanked by (2)MichaelCee bikegremlin
  • I've cancelled my account and asked for my data to be removed following this - I'm more annoying about the bs than the event

    ───────────────────────────────────
    🌐 Blesta.club - Blesta Modules, Plugins, Gateways and more
    💬 Join our community today and start your journey!
    ───────────────────────────────────

  • vyasvyas OGSenpai
    edited August 2022

    @chris said:
    I've cancelled my account and asked for my data to be removed following this - I'm more annoying about the bs than the event

    Which account?

    Mailchimp
    Digital Ocean
    Signal
    or
    Twillio?

    They are all peas in a pod.

    p.s: LES can also be annoying with BS at times. So that also should be added to the above list.

  • Surprised they used an external emailer

  • jarlandjarland Hosting ProviderOG
    edited August 2022

    @corbpie said:
    Surprised they used an external emailer

    It's a pretty big savings actually. The number of IPs needed to run their mailings, and the amount of effort you should put into the infrastructure and IP reputation, it would be more expensive to do it in house at their size. When I left there was still only one person who cared about the root domain's SPF record, mail was just totally delegated.

    All the marketing, the sales, the transactional, it's just obscene the number of emails leaving that platform. Though MailChimp was never explicitly chosen, just rode out the change from Mandrill merging back in.

    Thanked by (2)vyas bikegremlin

    Do everything as though everyone you’ll ever know is watching.

  • vyasvyas OGSenpai
    edited August 2022

    Easier sale for customers/investors too ..
    I suppose?

    “We use best in class or industry leading SaaS tools for our operations “

    Versus
    “We use in house tools based on advanced, propereitory (or open source) protocol s”

    @jarland said:

    @corbpie said:
    Surprised they used an external emailer

    It's a pretty big savings actually. The number of IPs needed to run their mailings, and the amount of effort you should put into the infrastructure and IP reputation, it would be more expensive to do it in house at their size. When I left there was still only one person who cared about the root domain's SPF record, mail was just totally delegated.

    All the marketing, the sales, the transactional, it's just obscene the number of emails leaving that platform. Though MailChimp was never explicitly chosen, just rode out the change from Mandrill merging back in.

    Thanked by (1)jarland
  • jarlandjarland Hosting ProviderOG

    @vyas said: Easier sale for customers/investors too ..

    There is something to be said for generating revenue with minimal tech debt.

    Thanked by (1)vyas

    Do everything as though everyone you’ll ever know is watching.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @vyas said:
    Easier sale for customers/investors too ..
    I suppose?

    “We use best in class or industry leading SaaS tools for our operations “

    Versus
    “We use in house tools based on advanced, propereitory (or open source) protocol s”

    @jarland said:

    @corbpie said:
    Surprised they used an external emailer

    It's a pretty big savings actually. The number of IPs needed to run their mailings, and the amount of effort you should put into the infrastructure and IP reputation, it would be more expensive to do it in house at their size. When I left there was still only one person who cared about the root domain's SPF record, mail was just totally delegated.

    All the marketing, the sales, the transactional, it's just obscene the number of emails leaving that platform. Though MailChimp was never explicitly chosen, just rode out the change from Mandrill merging back in.

    Old and not entirely spot on, but you know the saying:
    "No one got fired for buying IBM."

    Thanked by (2)vyas mwt

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • If there was a MailChimp-wide security incident, I don't see how DO could be to blame here. I don't want to be all "nobody gets fired for buying IBM" here, but using MailChimp for communications isn't unusual.

    Thanked by (1)jarland
  • jarlandjarland Hosting ProviderOG
    edited August 2022

    @mwt said:
    If there was a MailChimp-wide security incident, I don't see how DO could be to blame here. I don't want to be all "nobody gets fired for buying IBM" here, but using MailChimp for communications isn't unusual.

    I'd personally like a step before it. If there was a MailChimp security incident, I'd like to see an actual disclosure. I get that such can't always happen right away but typically when it can't happen, because companies are working with law enforcement, they keep their mouths shut about it entirely. Just saying there was an incident and then not saying anything else for this much time, that's just painful.

    At the very least I feel like if you're going that far and can't go further, you oughta say something to that effect like "We cannot say anything more at this time, and we believe that you will consider the reason for that to be both understandable and respectable as we are able to speak more on the matter." Just off the top of my head.

    Thanked by (2)bikegremlin mwt

    Do everything as though everyone you’ll ever know is watching.

Sign In or Register to comment.