February 13, 2023 By Jennifer Gregory 4 min read

Attacks on service providers are mounting — and so are downstream victims.

Earlier this year, some customers of the cloud service provider DigitalOcean received emails instructing them to reset their passwords. These users hadn’t actually forgotten their passwords — their email addresses had been compromised in a data breach. But the cybersecurity incident didn’t start at DigitalOcean. Instead, the attack started from a MailChimp account.

Like many companies, DigitalOcean relies on a third-party email platform for email confirmations, password reset notifications and alerts sent to customers. According to DigitalOcean, an attacker compromised MailChimp’s Internal Tooling and gained unauthorized access to DigitalOcean’s Mailchimp account. This allowed the cyber criminal to add an authorized email address to the account and then steal email customer addresses. Accounts with multi-factor authentication (MFA) enabled were not breached. DigitalOcean could not communicate with its customers for several days due to the breach, during which many people became concerned about their data privacy.

While the attack originated at a third-party organization, the victims of the attack reached beyond Mailchimp. Mailchimp suffered business disruption and customer loss as DigitalOcean changed providers. But DigitalOcean also saw downtime without customer contact, as well as potentially losing their own customers’ trust.

The MailChimp breach is one example of a growing and concerning trend. In many cases, the damages of a breach have a primary victim and secondary victims. In this instance, while MailChimp was the original target, DigitalOcean customers were secondary victims. By targeting major vendors, cyber criminals expand their potential for harm through the trickle-down effect of their attacks. But businesses can still take steps to avoid becoming a downstream victim.

Why downstream attacks are increasing

As cybersecurity technology and practices get more sophisticated, cyber criminals must look for new ways to inflict the most damage. With a downstream attack, organizations often can’t quickly pinpoint the cause of the breach. Sometimes the breach goes detected for days or even months. In other cases, a downstream victim may realize there is an issue but can’t isolate its source.

Additionally, downstream attacks make it possible for cyber criminals to increase the damage and disruption they inflict with a single event. By targeting vendors working with companies that have large customer bases, cyber criminals have access to a much larger pool of customer data. As more companies use Software-as-a-Service (SaaS), vendors are an increasingly attractive target for cyber criminals because of the large opportunity for secondary victims.

In one phishing attack, cyber criminals gained access to the customer engagement platform Twilio through its customer support console. Once the cyber criminals accessed the platform, they had access to Twilio’s customer base, including Signal, a secure messaging platform with an estimated 40 million monthly users. The attack affected 1,900 Signal users, breaching their phone numbers or revealing their SMS verification codes. Most concerning, the hackers bypassed Twilio’s MFA functionality to gain access.

The increase in downstream attacks means organizations must be concerned with more than their own cybersecurity. Businesses now inherit the risk of every single company they’re interconnected with. For example, an organization using a cloud service provider, a CRM and an email marketing platform is only as protected as each vendor. With more companies using SaaS and digital tools, the risk is only increasing.

Steps to avoid becoming a downstream victim

Here are ways to reduce your organization’s risk of becoming a victim of a downstream attack:

  • Conduct a security audit as part of vendor onboarding. Your organization is only as secure as your most insecure vendor. Whenever you do business with another company, you assume their risk. Even more importantly, you pass that risk on to your own customers.
  • Get contact information for security concerns. Ask potential vendors about their security protocols and their process for notifying their customers after a breach. One of the challenges DigitalOcean faced after the MailChimp breach was the inability to get in touch with MailChimp for information when it received the notice that its account was disabled due to security issues. Many organizations have a dedicated support line or channel for immediate resolution of cybersecurity issues.
  • Consider a zero trust framework. By using a zero trust approach, your organization assumes that all apps, devices and users requesting access are unauthorized until proven otherwise. Combined with micro-segmentation, which allows access to the smallest possible portion of the network, you can also reduce the damage caused by a breach.
  • Use MFA on corporate accounts whenever it’s available. Make sure all the vendors your organization uses offer MFA and require employees to use MFA on all the vendor logins they use as part of their job. As demonstrated by the DigitalOcean attack, MFA can prevent some breaches. While the Twilio attack showed that breaching MFA is possible, using MFA can still significantly reduce the risk for organizations.
  • Create a plan for vendor disruption. If one of your vendors is a victim of a cybersecurity attack, they will likely be offline and unable to serve their customers. By creating a backup plan for vendors, you can limit the impact on your organization.

Navigating interconnected risk

The increase in SaaS and PaaS means companies are more interconnected than ever before. With service providers enabling access to their customers, cyber criminals can now affect more people with a single attack. By understanding the risk each new vendor adds to your organization, you can proactively reduce any exposure and feel more secure that you’re fulfilling one of your biggest obligations — protecting your customer’s privacy and data.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today