Light Dark
February 13, 2023 By Jennifer Gregory 4 min read
Risk Management

Attacks on service providers are mounting — and so are downstream victims.

Earlier this year, some customers of the cloud service provider DigitalOcean received emails instructing them to reset their passwords. These users hadn’t actually forgotten their passwords — their email addresses had been compromised in a data breach. But the cybersecurity incident didn’t start at DigitalOcean. Instead, the attack started from a MailChimp account.

Like many companies, DigitalOcean relies on a third-party email platform for email confirmations, password reset notifications and alerts sent to customers. According to DigitalOcean, an attacker compromised MailChimp’s Internal Tooling and gained unauthorized access to DigitalOcean’s Mailchimp account. This allowed the cyber criminal to add an authorized email address to the account and then steal email customer addresses. Accounts with multi-factor authentication (MFA) enabled were not breached. DigitalOcean could not communicate with its customers for several days due to the breach, during which many people became concerned about their data privacy.

While the attack originated at a third-party organization, the victims of the attack reached beyond Mailchimp. Mailchimp suffered business disruption and customer loss as DigitalOcean changed providers. But DigitalOcean also saw downtime without customer contact, as well as potentially losing their own customers’ trust.

The MailChimp breach is one example of a growing and concerning trend. In many cases, the damages of a breach have a primary victim and secondary victims. In this instance, while MailChimp was the original target, DigitalOcean customers were secondary victims. By targeting major vendors, cyber criminals expand their potential for harm through the trickle-down effect of their attacks. But businesses can still take steps to avoid becoming a downstream victim.

Why downstream attacks are increasing

As cybersecurity technology and practices get more sophisticated, cyber criminals must look for new ways to inflict the most damage. With a downstream attack, organizations often can’t quickly pinpoint the cause of the breach. Sometimes the breach goes detected for days or even months. In other cases, a downstream victim may realize there is an issue but can’t isolate its source.

Additionally, downstream attacks make it possible for cyber criminals to increase the damage and disruption they inflict with a single event. By targeting vendors working with companies that have large customer bases, cyber criminals have access to a much larger pool of customer data. As more companies use Software-as-a-Service (SaaS), vendors are an increasingly attractive target for cyber criminals because of the large opportunity for secondary victims.

In one phishing attack, cyber criminals gained access to the customer engagement platform Twilio through its customer support console. Once the cyber criminals accessed the platform, they had access to Twilio’s customer base, including Signal, a secure messaging platform with an estimated 40 million monthly users. The attack affected 1,900 Signal users, breaching their phone numbers or revealing their SMS verification codes. Most concerning, the hackers bypassed Twilio’s MFA functionality to gain access.

The increase in downstream attacks means organizations must be concerned with more than their own cybersecurity. Businesses now inherit the risk of every single company they’re interconnected with. For example, an organization using a cloud service provider, a CRM and an email marketing platform is only as protected as each vendor. With more companies using SaaS and digital tools, the risk is only increasing.

Steps to avoid becoming a downstream victim

Here are ways to reduce your organization’s risk of becoming a victim of a downstream attack:

  • Conduct a security audit as part of vendor onboarding. Your organization is only as secure as your most insecure vendor. Whenever you do business with another company, you assume their risk. Even more importantly, you pass that risk on to your own customers.
  • Get contact information for security concerns. Ask potential vendors about their security protocols and their process for notifying their customers after a breach. One of the challenges DigitalOcean faced after the MailChimp breach was the inability to get in touch with MailChimp for information when it received the notice that its account was disabled due to security issues. Many organizations have a dedicated support line or channel for immediate resolution of cybersecurity issues.
  • Consider a zero trust framework. By using a zero trust approach, your organization assumes that all apps, devices and users requesting access are unauthorized until proven otherwise. Combined with micro-segmentation, which allows access to the smallest possible portion of the network, you can also reduce the damage caused by a breach.
  • Use MFA on corporate accounts whenever it’s available. Make sure all the vendors your organization uses offer MFA and require employees to use MFA on all the vendor logins they use as part of their job. As demonstrated by the DigitalOcean attack, MFA can prevent some breaches. While the Twilio attack showed that breaching MFA is possible, using MFA can still significantly reduce the risk for organizations.
  • Create a plan for vendor disruption. If one of your vendors is a victim of a cybersecurity attack, they will likely be offline and unable to serve their customers. By creating a backup plan for vendors, you can limit the impact on your organization.

Navigating interconnected risk

The increase in SaaS and PaaS means companies are more interconnected than ever before. With service providers enabling access to their customers, cyber criminals can now affect more people with a single attack. By understanding the risk each new vendor adds to your organization, you can proactively reduce any exposure and feel more secure that you’re fulfilling one of your biggest obligations — protecting your customer’s privacy and data.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

 |  |  |  |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from Risk Management
November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

November 12, 2024

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature