Customers of SendGrid, the cloud-based email platform used to deliver over 18 billion emails each month, are advised to change their passwords and enable two-factor authentication (2FA) on their accounts following a data breach.
On April 9, the New York Times reported that the SendGrid account of Bitcoin wallet service Coinbase was hijacked and used to send out phishing emails designed to trick recipients into transferring their Bitcoins to the cybercrooks. Initially, NYT reported that SendGrid had suffered a platform-wide breach, but the publication later updated its article, at the request of SendGrid, to clarify that it was just an isolated attack.
On Monday, after further analyzing the incident with the aid of law enforcement and FireEye-owned Mandiant, SendGrid revealed that an employee’s account had been compromised and used to access several internal systems on three occasions in February and March.
According to the mass email service, the compromised systems stored usernames, email addresses, and passwords (hashed and salted) belonging to SendGrid employees and customers. The attackers also accessed servers containing customer contact information and email address lists. Payment information is not at risk because the company doesn’t store or process customer payment card data.
SendGrid says it hasn’t found any forensic evidence to suggest that email lists and contact information has been stolen, but the company is resetting all user passwords as a precaution. Customers are also advised to enable 2FA on their accounts to prevent unauthorized logins.
Customers who use custom DKIM keys for sending out emails have been instructed to generate new keys through the SendGrid interface and update their DNS records to reflect the change. Those who are required to take this step, roughly 600 customers, should receive an email with additional instructions.
“Upon discovery, we took immediate actions to block all unauthorized access and deployed additional processes and controls to better protect our customers, our employees, and our platform. We have been working in collaboration with law enforcement and FireEye’s (Mandiant) Incident Response Team to thoroughly investigate this incident and are taking a number of additional actions to increase our system security,” David Campbell, SendGrid CSO, said in a blog post on Monday.
“The first step is to work with our customers to ensure they have taken all the appropriate precautions to protect themselves,” Campbell added. “We are also developing new features that will improve the security of our platform including API keys, IP whitelisting and enhanced two factor authentication.”