In a recent blog post, SendGrid chief security officer David Campbell acknowledged that when a customer’s account was compromised earlier this month, the breach actually reached far beyond that single account.
While SendGrid initially believed the account compromise was an isolated incident, Campbell wrote, “After further investigation in collaboration with law enforcement and FireEye’s (Mandiant) Incident Response Team, we became aware that a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015.”
Campbell’s post doesn’t say how the employee’s account was compromised.
The compromised internal systems held user names, email addresses and encrypted (salted and iteratively hashed) passwords for SendGrid customer and employee accounts.
“In addition, evidence suggests that the cyber criminal accessed servers that contained some of our customers’ recipient email lists/addresses and customer contact information,” Campbell wrote.
While there is no evidence that customer lists or customer contact information was stolen, Campbell said, the company has implemented a system-wide password reset as a precaution, and is advising all customers to enable two-factor authentication.
In response to the breach, SendGrid is working to expedite the release of API keys, IP whitelisting, and enhanced two-factor authentication. “We have been working in collaboration with law enforcement and FireEye’s (Mandiant) Incident Response Team to thoroughly investigate this incident and are taking a number of additional actions to increase our system security,” Campbell added.
Campbell’s announcement contradicted an earlier blog post in which, one April 9, 2015, he called the breach “an isolated attack on one SendGrid customer,” and called a New York Times article on the incident “inaccurate” for stating “that SendGrid had incurred a platform-wide breach.”
The New York Times article, also dated April 9, 2015, noted that the initial breach had compromised the SendGrid account of popular Bitcoin exchange Coinbase, adding that “the attack follows a similar pattern to an attack last year against a former SendGrid customer, and there is evidence that other Bitcoin companies are being targeted via their mass email providers.”