SendGrid, an email marketing services used by tens of thousands of companies around the world has confirmed that attackers compromised a SendGrid employee’s account to steal the username, email addresses and encrypted passwords of an unknown amount of SendGrid customers.
SendGrid’s breach disclosure comes several weeks after the company had assured users that the previous breach was limited to one single customer.
On April 9th, it was reported that Coinbase (bitcoin exchange) had their SendGrid account compromised, leading thieves to launch alleged phishing attacks against other Bitcoin-related organizations. SendGrid promptly replied to article, stating that the information contained inaccuracies, claiming the entire SendGrid platform had been breached, a claim the company initially denied. “The story has now been updated to reflect that only a single SendGrid customer account was compromised,” David Campbell, chief security officer at SendGrid said in a blog post early April.
Following the piece, SendGrid announced today that their previous statement may have not been entirely accurate, saying thanks to a detailed forensic investigation, the company has identified a data breach:
“After further investigation in collaboration with law enforcement and FireEye’s (Mandiant) Incident Response Team, we became aware that a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015,” Campell explained in a new blog post Monday.
“These systems contained usernames, email addresses, and (salted and iteratively hashed) passwords for SendGrid customer and employee accounts. In addition, evidence suggests that the cyber criminal accessed servers that contained some of our customers’ recipient email lists/addresses and customer contact information. We have not found any forensic evidence that customer lists or customer contact information was stolen. However, as a precautionary measure, we are implementing a system-wide password reset. Because SendGrid does not store customer payment cards we do know that payment card information was not involved.”
SendGrid has issued a mandatory password reset following the breach, urging users to start making use of their two-factor authentication system. SendGrid also said the company is working to enhance the security of their systems and two-factor security, pushing to expedite the use of “API keys” that will allow customers to use keys instead of passwords for sending emails through its systems.
The SendGrid breach could be critical, sending billions of emails a day, serving big brands such as foursquare, Pinterest, Spotify and Uber. The SendGrid breach will be major target for hackers and spammers alike. With the possibility to give spammers access to the millions of emails these companies serve, allowing them to blast a corporate size spam campaign.
Seeing as various customer credentials and email lists were compromised, the scale of the breach currently remains unknown. However, since cybercriminals did compromise specific email lists, the amount of spam campaigns targeting specific customers bases will show over time.