Attacks on service providers are mounting — and so are downstream victims.

Earlier this year, some customers of the cloud service provider DigitalOcean received emails instructing them to reset their passwords. These users hadn’t actually forgotten their passwords — their email addresses had been compromised in a data breach. But the cybersecurity incident didn’t start at DigitalOcean. Instead, the attack started from a MailChimp account.

Like many companies, DigitalOcean relies on a third-party email platform for email confirmations, password reset notifications and alerts sent to customers. According to DigitalOcean, an attacker compromised MailChimp’s Internal Tooling and gained unauthorized access to DigitalOcean’s Mailchimp account. This allowed the cyber criminal to add an authorized email address to the account and then steal email customer addresses. Accounts with multi-factor authentication (MFA) enabled were not breached. DigitalOcean could not communicate with its customers for several days due to the breach, during which many people became concerned about their data privacy.

While the attack originated at a third-party organization, the victims of the attack reached beyond Mailchimp. Mailchimp suffered business disruption and customer loss as DigitalOcean changed providers. But DigitalOcean also saw downtime without customer contact, as well as potentially losing their own customers’ trust.

The MailChimp breach is one example of a growing and concerning trend. In many cases, the damages of a breach have a primary victim and secondary victims. In this instance, while MailChimp was the original target, DigitalOcean customers were secondary victims. By targeting major vendors, cyber criminals expand their potential for harm through the trickle-down effect of their attacks. But businesses can still take steps to avoid becoming a downstream victim.

Why downstream attacks are increasing

As cybersecurity technology and practices get more sophisticated, cyber criminals must look for new ways to inflict the most damage. With a downstream attack, organizations often can’t quickly pinpoint the cause of the breach. Sometimes the breach goes detected for days or even months. In other cases, a downstream victim may realize there is an issue but can’t isolate its source.

Additionally, downstream attacks make it possible for cyber criminals to increase the damage and disruption they inflict with a single event. By targeting vendors working with companies that have large customer bases, cyber criminals have access to a much larger pool of customer data. As more companies use Software-as-a-Service (SaaS), vendors are an increasingly attractive target for cyber criminals because of the large opportunity for secondary victims.

In one phishing attack, cyber criminals gained access to the customer engagement platform Twilio through its customer support console. Once the cyber criminals accessed the platform, they had access to Twilio’s customer base, including Signal, a secure messaging platform with an estimated 40 million monthly users. The attack affected 1,900 Signal users, breaching their phone numbers or revealing their SMS verification codes. Most concerning, the hackers bypassed Twilio’s MFA functionality to gain access.

The increase in downstream attacks means organizations must be concerned with more than their own cybersecurity. Businesses now inherit the risk of every single company they’re interconnected with. For example, an organization using a cloud service provider, a CRM and an email marketing platform is only as protected as each vendor. With more companies using SaaS and digital tools, the risk is only increasing.

Steps to avoid becoming a downstream victim

Here are ways to reduce your organization’s risk of becoming a victim of a downstream attack:

  • Conduct a security audit as part of vendor onboarding. Your organization is only as secure as your most insecure vendor. Whenever you do business with another company, you assume their risk. Even more importantly, you pass that risk on to your own customers.
  • Get contact information for security concerns. Ask potential vendors about their security protocols and their process for notifying their customers after a breach. One of the challenges DigitalOcean faced after the MailChimp breach was the inability to get in touch with MailChimp for information when it received the notice that its account was disabled due to security issues. Many organizations have a dedicated support line or channel for immediate resolution of cybersecurity issues.
  • Consider a zero trust framework. By using a zero trust approach, your organization assumes that all apps, devices and users requesting access are unauthorized until proven otherwise. Combined with micro-segmentation, which allows access to the smallest possible portion of the network, you can also reduce the damage caused by a breach.
  • Use MFA on corporate accounts whenever it’s available. Make sure all the vendors your organization uses offer MFA and require employees to use MFA on all the vendor logins they use as part of their job. As demonstrated by the DigitalOcean attack, MFA can prevent some breaches. While the Twilio attack showed that breaching MFA is possible, using MFA can still significantly reduce the risk for organizations.
  • Create a plan for vendor disruption. If one of your vendors is a victim of a cybersecurity attack, they will likely be offline and unable to serve their customers. By creating a backup plan for vendors, you can limit the impact on your organization.

Navigating interconnected risk

The increase in SaaS and PaaS means companies are more interconnected than ever before. With service providers enabling access to their customers, cyber criminals can now affect more people with a single attack. By understanding the risk each new vendor adds to your organization, you can proactively reduce any exposure and feel more secure that you’re fulfilling one of your biggest obligations — protecting your customer’s privacy and data.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…