SendGrid Admits Broader Hack of Email Service

Email delivery service provider SendGrid admitted that hackers had accessed several internal systems, refuting reports earlier this month that the attack was an isolated incident.

SendGrid, which sells a cloud-based email delivery service, has admitted that the extent of a hack disclosed three weeks ago was much more serious than originally reported.

The company said an employee account was compromised and used to access other systems that contained customer and employee account information, and stored customer email lists.

According to the SendGrid website, the company has 180,000 customers, including airbnb, Foursquare, Spotify and Uber, and sends 14 billion emails monthly. SendGrid advises customers to reset passwords and enable two-factor authentication. Good password practices, such as avoiding the publication of credentials on source code repositories such as Github and the use of unique passwords, are also advised.

On April 8, SendGrid disclosed the attack and said an account belonging to a Bitcoin-related customer was compromised and phishing emails were being sent from that account trying to get people to transfer Bitcoins to a number of fraudulent accounts. SendGrid said the attack was an isolated incident, and challenged the accuracy of a New York Times report that said the breach was across the entire SendGrid platform.

Yesterday, SendGrid chief security officer David Campbell said following law enforcement and security investigations, they discovered the breach was related to an internal account that had been compromised. The attackers used the access to breach a number of internal systems in February and March.

Campbell said the systems stored SendGrid customer and employee usernames, email addresses, and salted and hashed passwords. Systems holding customer email lists, addresses and contact information were also accessed, Campbell said.

“We have not found any forensic evidence that customer lists or customer contact information was stolen. However, as a precautionary measure, we are implementing a system-wide password reset,” Campbell said, adding that SendGrid does not store payment card information from its customers and that no card data was compromised. “Upon discovery, we took immediate actions to block unauthorized access and deployed additional processes and controls to better protect our customers, our employees, and our platform.”

Campbell said that SendGrid customers who use custom DKIM keys to send mail—about 600 in total—that new keys be generated and DNS records be updated to reflect the change.

“We realize that email delivery is an essential part of our customers’ regular course of business and we sincerely apologize for all the inconvenience this has caused,” Campbell said. “Security is a priority to us at SendGrid and we will continue to work hard to earn your trust by making every effort to deliver a secure service.”

One day after the SendGrid breach, the New York Times reported that attackers used the credentials to breach Bitcoin exchange Coinbase, which confirmed to the Times that hackers had compromised its SendGrid account. Other Bitcoin exchanges were also previously targeted through similar email services, the Times report said.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.