In a blog post, ChunkHost co-owner Nate Daiger explained that the company had received a chat transcript a few weeks ago that clearly indicated that someone was trying to social engineer access to ChunkHost's account.
When ChunkHost expressed concern about the issue, Daiger says, SendGrid stated, "As a policy, we will never change an account's credentials or email address for a user, especially over a chat or email ticket. We will provide the links or instructions for the user to do so, but those pages can only be accessed with the proper credentials."
Last weekend, however, someone managed to convince SendGrid over the phone to change ChunkHost's e-mail address from firstname.lastname@example.org to email@example.com://o1.qnsr.com/log/p.gif?;n=203;c=204660770;s=9477;x=7936;f=201812281321530;u=j;z=TIMESTAMP;a=20396194;e=i
The hacker then activated a feature that sent a BCC of every outgoing message to a separate e-mail address, and initiated pasword resets on two Bitcoin-related accounts.
"With the password reset link, they could change the password and access our customers' accounts," Daiger explained. "Luckily, the affected customers were both using our Two-Factor Authentication feature. This means you not only need a password, but a token generated by your phone to log in."
Within about 20 minutes, Daiger says, ChunkHost had noticed the attack and disabled password resets, reset all sessions, and switched to local mail relaying.
"We are continuing to send our own email while we explore other options, but other companies should take notice and not make the mistake we did," Daiger writes. "If your accounts are ever a target for break-ins (especially if you do anything related to Bitcoin!), protect yourself and your customers by sending your own mail."