February 13, 2023 By Jennifer Gregory 4 min read

Attacks on service providers are mounting — and so are downstream victims.

Earlier this year, some customers of the cloud service provider DigitalOcean received emails instructing them to reset their passwords. These users hadn’t actually forgotten their passwords — their email addresses had been compromised in a data breach. But the cybersecurity incident didn’t start at DigitalOcean. Instead, the attack started from a MailChimp account.

Like many companies, DigitalOcean relies on a third-party email platform for email confirmations, password reset notifications and alerts sent to customers. According to DigitalOcean, an attacker compromised MailChimp’s Internal Tooling and gained unauthorized access to DigitalOcean’s Mailchimp account. This allowed the cyber criminal to add an authorized email address to the account and then steal email customer addresses. Accounts with multi-factor authentication (MFA) enabled were not breached. DigitalOcean could not communicate with its customers for several days due to the breach, during which many people became concerned about their data privacy.

While the attack originated at a third-party organization, the victims of the attack reached beyond Mailchimp. Mailchimp suffered business disruption and customer loss as DigitalOcean changed providers. But DigitalOcean also saw downtime without customer contact, as well as potentially losing their own customers’ trust.

The MailChimp breach is one example of a growing and concerning trend. In many cases, the damages of a breach have a primary victim and secondary victims. In this instance, while MailChimp was the original target, DigitalOcean customers were secondary victims. By targeting major vendors, cyber criminals expand their potential for harm through the trickle-down effect of their attacks. But businesses can still take steps to avoid becoming a downstream victim.

Why downstream attacks are increasing

As cybersecurity technology and practices get more sophisticated, cyber criminals must look for new ways to inflict the most damage. With a downstream attack, organizations often can’t quickly pinpoint the cause of the breach. Sometimes the breach goes detected for days or even months. In other cases, a downstream victim may realize there is an issue but can’t isolate its source.

Additionally, downstream attacks make it possible for cyber criminals to increase the damage and disruption they inflict with a single event. By targeting vendors working with companies that have large customer bases, cyber criminals have access to a much larger pool of customer data. As more companies use Software-as-a-Service (SaaS), vendors are an increasingly attractive target for cyber criminals because of the large opportunity for secondary victims.

In one phishing attack, cyber criminals gained access to the customer engagement platform Twilio through its customer support console. Once the cyber criminals accessed the platform, they had access to Twilio’s customer base, including Signal, a secure messaging platform with an estimated 40 million monthly users. The attack affected 1,900 Signal users, breaching their phone numbers or revealing their SMS verification codes. Most concerning, the hackers bypassed Twilio’s MFA functionality to gain access.

The increase in downstream attacks means organizations must be concerned with more than their own cybersecurity. Businesses now inherit the risk of every single company they’re interconnected with. For example, an organization using a cloud service provider, a CRM and an email marketing platform is only as protected as each vendor. With more companies using SaaS and digital tools, the risk is only increasing.

Steps to avoid becoming a downstream victim

Here are ways to reduce your organization’s risk of becoming a victim of a downstream attack:

  • Conduct a security audit as part of vendor onboarding. Your organization is only as secure as your most insecure vendor. Whenever you do business with another company, you assume their risk. Even more importantly, you pass that risk on to your own customers.
  • Get contact information for security concerns. Ask potential vendors about their security protocols and their process for notifying their customers after a breach. One of the challenges DigitalOcean faced after the MailChimp breach was the inability to get in touch with MailChimp for information when it received the notice that its account was disabled due to security issues. Many organizations have a dedicated support line or channel for immediate resolution of cybersecurity issues.
  • Consider a zero trust framework. By using a zero trust approach, your organization assumes that all apps, devices and users requesting access are unauthorized until proven otherwise. Combined with micro-segmentation, which allows access to the smallest possible portion of the network, you can also reduce the damage caused by a breach.
  • Use MFA on corporate accounts whenever it’s available. Make sure all the vendors your organization uses offer MFA and require employees to use MFA on all the vendor logins they use as part of their job. As demonstrated by the DigitalOcean attack, MFA can prevent some breaches. While the Twilio attack showed that breaching MFA is possible, using MFA can still significantly reduce the risk for organizations.
  • Create a plan for vendor disruption. If one of your vendors is a victim of a cybersecurity attack, they will likely be offline and unable to serve their customers. By creating a backup plan for vendors, you can limit the impact on your organization.

Navigating interconnected risk

The increase in SaaS and PaaS means companies are more interconnected than ever before. With service providers enabling access to their customers, cyber criminals can now affect more people with a single attack. By understanding the risk each new vendor adds to your organization, you can proactively reduce any exposure and feel more secure that you’re fulfilling one of your biggest obligations — protecting your customer’s privacy and data.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today