Digital Ocean Mailing List Breach
vyas
OGRetired
Received from DO:
GDPR aweigh?
Hi there,
On August 8th, 2022, DigitalOcean discovered that our Mailchimp account had been compromised as part of a wider Mailchimp Security Incident. As a result, a number of DigitalOcean customer email addresses may have been viewed by an unauthorized individual.
Impact to you
No customer information other than email address was impacted; however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account. Please review our documentation on two-factor authentication for more information.Actions we have taken
At DigitalOcean, we take the protection of customer data very seriously, and we sincerely apologize that your email address may have been impacted by this incident. We have migrated our email services to another provider and are completing thorough security reviews to confirm our vendors’ security posture.For more details on this incident, please read through our latest blog post. We are committed to holding ourselves accountable to our customers and prioritizing protecting your account. We welcome the opportunity to talk through any questions or concerns you may have - just reply to this email.
Sincerely,
DigitalOcean Security
Comments
Haven't heard of the cited Mailchimp incident. That would be huge.
Yes, from the DO post:
Looks like Mailchimp Intuit lost a customer. Maybe more down the line
VPS reviews and benchmarks |
aka Mailchump
We migrated to another provider, then we will do security reviews on that another provider.
Fucking 10/10, would leak again.
Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png
“No customer information other than email address was impacted”
Nice way to try and polish a turd. Customer information was impacted; it doesn’t matter if it’s just email. Silly people
MichaelCee
Really?
So publicly sharing your bank account, home address, full name etc, would be the same as publicly sharing your email address?
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
Every bit of data is different, but there’s no comfort in “don’t worry it was only your email address” IMO
MichaelCee
Or to spin it another way - they send emails, the only information they have is your email address. So, the other way of saying "nothing was leaked apart from your email address" is "every piece of personal data we were entrusted to look after was leaked".
As far as I'm concerned, if that's really the case, it's as comforting as possible (compared to other data being leaked).
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
I get what you mean, I think @MichaelCee is annoyed at the attempt to play down what is still a breach of data as opposed to weighing each by merit.
Me personally, I'm quite offended by the attempt to spin it as "just" an email addresss
Chris on https://hostingforums.net/
this
So, they entrusted email to another entity. The said entity has had a leak. They blame that entity and moves to a new entity.
I am sure the new entity will have a leak at one point. Then I guess they will move to another.
Bottom line, they hate taking on responsibilities, yeah?
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
That's the spirit of the times.
It'll get worse.
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
I was quite enjoying the Spy Versus Spy er.. Mod versus Mod discussion till you stepped in and spoiled the show.
VPS reviews and benchmarks |
Here - enjoy the highlights - the LES mod team showdown:
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
Two mods I can guess, who are the other two? Stealth Mods?
VPS reviews and benchmarks |
Well, they said they're from the LES mod/admin team...
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
Unless @ehab joined the Mod team recently, the 'heavy roller' int he video poses a conundrum. ( to use a term from cricket)
VPS reviews and benchmarks |
I'm secretly paid to be the ref - these two are often ready to get the gloves 🤣
Chris on https://hostingforums.net/
Mailchimp is trying to cover it up. Their post never actually says they were breached but they haven't denied DO's statement that they were.
And now.. presenting..
Breach at Signal!
1900 numbers exposed.
https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/
Bring on the Wrestlers
VPS reviews and benchmarks |
I've cancelled my account and asked for my data to be removed following this - I'm more annoying about the bs than the event
Chris on https://hostingforums.net/
Which account?
Mailchimp
Digital Ocean
Signal
or
Twillio?
They are all peas in a pod.
p.s: LES can also be annoying with BS at times. So that also should be added to the above list.
VPS reviews and benchmarks |
Surprised they used an external emailer
It's a pretty big savings actually. The number of IPs needed to run their mailings, and the amount of effort you should put into the infrastructure and IP reputation, it would be more expensive to do it in house at their size. When I left there was still only one person who cared about the root domain's SPF record, mail was just totally delegated.
All the marketing, the sales, the transactional, it's just obscene the number of emails leaving that platform. Though MailChimp was never explicitly chosen, just rode out the change from Mandrill merging back in.
Hate radiates from the source. If you look around and see it everywhere, it's coming from you.
Easier sale for customers/investors too ..
I suppose?
“We use best in class or industry leading SaaS tools for our operations “
Versus
“We use in house tools based on advanced, propereitory (or open source) protocol s”
VPS reviews and benchmarks |
There is something to be said for generating revenue with minimal tech debt.
Hate radiates from the source. If you look around and see it everywhere, it's coming from you.
Old and not entirely spot on, but you know the saying:
"No one got fired for buying IBM."
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
If there was a MailChimp-wide security incident, I don't see how DO could be to blame here. I don't want to be all "nobody gets fired for buying IBM" here, but using MailChimp for communications isn't unusual.
I'd personally like a step before it. If there was a MailChimp security incident, I'd like to see an actual disclosure. I get that such can't always happen right away but typically when it can't happen, because companies are working with law enforcement, they keep their mouths shut about it entirely. Just saying there was an incident and then not saying anything else for this much time, that's just painful.
At the very least I feel like if you're going that far and can't go further, you oughta say something to that effect like "We cannot say anything more at this time, and we believe that you will consider the reason for that to be both understandable and respectable as we are able to speak more on the matter." Just off the top of my head.
Hate radiates from the source. If you look around and see it everywhere, it's coming from you.