Digital Ocean Mailing List Breach

vyasvyas OGContent Writer
edited August 16 in Industry News

Received from DO:

GDPR aweigh?

Hi there,

On August 8th, 2022, DigitalOcean discovered that our Mailchimp account had been compromised as part of a wider Mailchimp Security Incident. As a result, a number of DigitalOcean customer email addresses may have been viewed by an unauthorized individual.

Impact to you
No customer information other than email address was impacted; however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account. Please review our documentation on two-factor authentication for more information.

Actions we have taken
At DigitalOcean, we take the protection of customer data very seriously, and we sincerely apologize that your email address may have been impacted by this incident. We have migrated our email services to another provider and are completing thorough security reviews to confirm our vendors’ security posture.

For more details on this incident, please read through our latest blog post. We are committed to holding ourselves accountable to our customers and prioritizing protecting your account. We welcome the opportunity to talk through any questions or concerns you may have - just reply to this email.
Sincerely,
DigitalOcean Security

VPS reviews | | MicroLXC | English is my nth language.

Comments

  • Haven't heard of the cited Mailchimp incident. That would be huge.

  • vyasvyas OGContent Writer

    @someTom said:
    Haven't heard of the cited Mailchimp incident. That would be huge.

    Yes, from the DO post:

    We have migrated our email services to another provider

    Looks like Mailchimp Intuit lost a customer. Maybe more down the line

    VPS reviews | | MicroLXC | English is my nth language.

  • aka Mailchump

  • @vyas said: We have migrated our email services to another provider and are completing thorough security reviews to confirm our vendors’ security posture.

    We migrated to another provider, then we will do security reviews on that another provider.
    Fucking 10/10, would leak again.

    Thanked by (2)stevewatson301 hostdare
  • MichaelCeeMichaelCee ModeratorOGServices Provider

    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

  • bikegremlinbikegremlin ModeratorOG

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Thanked by (2)lentro mwt

    I can't tell you which hosting to buy, but I've written in great detail about the providers I've used so far:
    BikeGremlin web-hosting reviews

  • MichaelCeeMichaelCee ModeratorOGServices Provider

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

  • Or to spin it another way - they send emails, the only information they have is your email address. So, the other way of saying "nothing was leaked apart from your email address" is "every piece of personal data we were entrusted to look after was leaked".

    Thanked by (1)MichaelCee
  • bikegremlinbikegremlin ModeratorOG

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    Thanked by (3)MichaelCee lentro Erisa

    I can't tell you which hosting to buy, but I've written in great detail about the providers I've used so far:
    BikeGremlin web-hosting reviews

  • @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I sometimes worry that I'm so correct in all I say, that there might be something wrong with me

  • @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    this

    Thanked by (1)MichaelCee
  • So, they entrusted email to another entity. The said entity has had a leak. They blame that entity and moves to a new entity.

    I am sure the new entity will have a leak at one point. Then I guess they will move to another.

    Bottom line, they hate taking on responsibilities, yeah?

    Thanked by (3)MichaelCee Ironia hostdare

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • bikegremlinbikegremlin ModeratorOG

    @deank said:
    So, they entrusted email to another entity. The said entity has had a leak. They blame that entity and moves to a new entity.

    I am sure the new entity will have a leak at one point. Then I guess they will move to another.

    Bottom line, they hate taking on responsibilities, yeah?

    That's the spirit of the times.

    It'll get worse.

    I can't tell you which hosting to buy, but I've written in great detail about the providers I've used so far:
    BikeGremlin web-hosting reviews

  • vyasvyas OGContent Writer

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    VPS reviews | | MicroLXC | English is my nth language.

  • bikegremlinbikegremlin ModeratorOG

    @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    Here - enjoy the highlights - the LES mod team showdown: :)

    Thanked by (2)vyas MichaelCee

    I can't tell you which hosting to buy, but I've written in great detail about the providers I've used so far:
    BikeGremlin web-hosting reviews

  • vyasvyas OGContent Writer

    @bikegremlin said:

    @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    Here - enjoy the highlights - the LES mod team showdown: :)

    Two mods I can guess, who are the other two? Stealth Mods?

    VPS reviews | | MicroLXC | English is my nth language.

  • bikegremlinbikegremlin ModeratorOG

    @vyas said:

    @bikegremlin said:

    @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    Here - enjoy the highlights - the LES mod team showdown: :)

    Two mods I can guess, who are the other two? Stealth Mods?

    Well, they said they're from the LES mod/admin team...

    I can't tell you which hosting to buy, but I've written in great detail about the providers I've used so far:
    BikeGremlin web-hosting reviews

  • vyasvyas OGContent Writer
    edited August 16

    @bikegremlin said:

    @vyas said:

    @bikegremlin said:

    @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    Here - enjoy the highlights - the LES mod team showdown: :)

    Two mods I can guess, who are the other two? Stealth Mods?

    Well, they said they're from the LES mod/admin team...

    Unless @ehab joined the Mod team recently, the 'heavy roller' int he video poses a conundrum. ( to use a term from cricket)

    VPS reviews | | MicroLXC | English is my nth language.

  • @vyas said:

    @chris said:

    @bikegremlin said:

    @MichaelCee said:

    @bikegremlin said:

    @MichaelCee said:
    “No customer information other than email address was impacted”

    Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people

    Really?

    So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?

    Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO

    As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).

    I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.

    Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss

    I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.

    I'm secretly paid to be the ref - these two are often ready to get the gloves 🤣

    I sometimes worry that I'm so correct in all I say, that there might be something wrong with me

  • @someTom said:
    Haven't heard of the cited Mailchimp incident. That would be huge.

    Mailchimp is trying to cover it up. Their post never actually says they were breached but they haven't denied DO's statement that they were.

  • vyasvyas OGContent Writer

    And now.. presenting..

    Breach at Signal!

    1900 numbers exposed.
    https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/

    Bring on the Wrestlers

    Thanked by (2)MichaelCee bikegremlin

    VPS reviews | | MicroLXC | English is my nth language.

  • I've cancelled my account and asked for my data to be removed following this - I'm more annoying about the bs than the event

    I sometimes worry that I'm so correct in all I say, that there might be something wrong with me

  • vyasvyas OGContent Writer
    edited August 17

    @chris said:
    I've cancelled my account and asked for my data to be removed following this - I'm more annoying about the bs than the event

    Which account?

    Mailchimp
    Digital Ocean
    Signal
    or
    Twillio?

    They are all peas in a pod.

    p.s: LES can also be annoying with BS at times. So that also should be added to the above list.

    VPS reviews | | MicroLXC | English is my nth language.

  • Surprised they used an external emailer

  • jarlandjarland Hosting ProviderOG
    edited August 18

    @corbpie said:
    Surprised they used an external emailer

    It's a pretty big savings actually. The number of IPs needed to run their mailings, and the amount of effort you should put into the infrastructure and IP reputation, it would be more expensive to do it in house at their size. When I left there was still only one person who cared about the root domain's SPF record, mail was just totally delegated.

    All the marketing, the sales, the transactional, it's just obscene the number of emails leaving that platform. Though MailChimp was never explicitly chosen, just rode out the change from Mandrill merging back in.

    Thanked by (2)vyas bikegremlin

    Hate radiates from the source. If you look around and see it everywhere, it's coming from you.

  • vyasvyas OGContent Writer
    edited August 18

    Easier sale for customers/investors too ..
    I suppose?

    “We use best in class or industry leading SaaS tools for our operations “

    Versus
    “We use in house tools based on advanced, propereitory (or open source) protocol s”

    @jarland said:

    @corbpie said:
    Surprised they used an external emailer

    It's a pretty big savings actually. The number of IPs needed to run their mailings, and the amount of effort you should put into the infrastructure and IP reputation, it would be more expensive to do it in house at their size. When I left there was still only one person who cared about the root domain's SPF record, mail was just totally delegated.

    All the marketing, the sales, the transactional, it's just obscene the number of emails leaving that platform. Though MailChimp was never explicitly chosen, just rode out the change from Mandrill merging back in.

    Thanked by (1)jarland

    VPS reviews | | MicroLXC | English is my nth language.

  • jarlandjarland Hosting ProviderOG

    @vyas said: Easier sale for customers/investors too ..

    There is something to be said for generating revenue with minimal tech debt.

    Thanked by (1)vyas

    Hate radiates from the source. If you look around and see it everywhere, it's coming from you.

  • bikegremlinbikegremlin ModeratorOG

    @vyas said:
    Easier sale for customers/investors too ..
    I suppose?

    “We use best in class or industry leading SaaS tools for our operations “

    Versus
    “We use in house tools based on advanced, propereitory (or open source) protocol s”

    @jarland said:

    @corbpie said:
    Surprised they used an external emailer

    It's a pretty big savings actually. The number of IPs needed to run their mailings, and the amount of effort you should put into the infrastructure and IP reputation, it would be more expensive to do it in house at their size. When I left there was still only one person who cared about the root domain's SPF record, mail was just totally delegated.

    All the marketing, the sales, the transactional, it's just obscene the number of emails leaving that platform. Though MailChimp was never explicitly chosen, just rode out the change from Mandrill merging back in.

    Old and not entirely spot on, but you know the saying:
    "No one got fired for buying IBM."

    Thanked by (2)vyas mwt

    I can't tell you which hosting to buy, but I've written in great detail about the providers I've used so far:
    BikeGremlin web-hosting reviews

  • If there was a MailChimp-wide security incident, I don't see how DO could be to blame here. I don't want to be all "nobody gets fired for buying IBM" here, but using MailChimp for communications isn't unusual.

    Thanked by (1)jarland
  • jarlandjarland Hosting ProviderOG
    edited August 20

    @mwt said:
    If there was a MailChimp-wide security incident, I don't see how DO could be to blame here. I don't want to be all "nobody gets fired for buying IBM" here, but using MailChimp for communications isn't unusual.

    I'd personally like a step before it. If there was a MailChimp security incident, I'd like to see an actual disclosure. I get that such can't always happen right away but typically when it can't happen, because companies are working with law enforcement, they keep their mouths shut about it entirely. Just saying there was an incident and then not saying anything else for this much time, that's just painful.

    At the very least I feel like if you're going that far and can't go further, you oughta say something to that effect like "We cannot say anything more at this time, and we believe that you will consider the reason for that to be both understandable and respectable as we are able to speak more on the matter." Just off the top of my head.

    Thanked by (2)bikegremlin mwt

    Hate radiates from the source. If you look around and see it everywhere, it's coming from you.

Sign In or Register to comment.