April 27, 2015

Sendgrid, an email service used by tens of thousands of companies — including Silicon Valley giants as well as Bitcoin exchange Coinbase — said attackers compromised a Sendgrid employee’s account, which was then used to steal the usernames, email addresses and (hashed) passwords of customer and employee accounts. The announcement comes several weeks after Sendgrid sought to assure customers that the breach was limited to a single customer account.

sg1On April 9, The New York Times reported that Coinbase had its Sendgrid credentials compromised, and that thieves were apparently using the access to launch phishing attacks against Bitcoin-related businesses. Sendgrid took issue with the Times piece for implying that SendGrid had incurred a platform-wide breach. “The story has now been updated to reflect that only a single SendGrid customer account was compromised,” Sendgrid wrote in a blog post published that same day.

Today, Sendgrid published another post walking that statement back a bit, saying it now had more information about the extent of the intrusion thanks to assistance from data breach investigators:

“After further investigation in collaboration with law enforcement and FireEye’s (Mandiant) Incident Response Team, we became aware that a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015,” wrote David Campbell, Sendgrid’s chief security officer.  Campbell continues:

“These systems contained usernames, email addresses, and (salted and iteratively hashed) passwords for SendGrid customer and employee accounts. In addition, evidence suggests that the cyber criminal accessed servers that contained some of our customers’ recipient email lists/addresses and customer contact information. We have not found any forensic evidence that customer lists or customer contact information was stolen. However, as a precautionary measure, we are implementing a system-wide password reset. Because SendGrid does not store customer payment cards we do know that payment card information was not involved.”

Sendgrid is urging customers to change their passwords, and to take advantage of the company’s multi-factor authentication offering. Sendgrid also said it is working to add more authentication methods for its two-factor security, and to expedite the release of special “API keys” that will allow customers to use keys instead of passwords for sending email through its systems.

Sendgrid manages billions of emails for some big brand names, including Pinterest, Spotify and Uber. This reach makes them a major target of fraudsters and spammers, who would like nothing more than to control whitelisted accounts capable of blasting out so much email each day.

In March 2015, U.S. prosecutors indicted three men in connection with the April 2011 compromise of commercial email giant Epsilon. Days after that break-in, customers at dozens of Fortune 500 companies began complaining of receiving spam to email addresses they’d created specifically for use with the companies directly served by Epsilon and its network of email providers.

14 thoughts on “SendGrid: Employee Account Hacked, Used to Steal Customer Credentials

  1. Donald J Trump

    SenderGrid, yet another online service that is being abused by spammers to promote their garbage.

  2. bobl

    Admittedly off topic for this article, but There is an ad for a cell phone jammer displayed on this page. It lists a coupon code of “KREBSSHIP” for free shipping.

    I thought that jammers were illegal.

    Am I incorrect?

    1. BrianKrebs Post author

      Yes, you’re incorrect. It’s a cell phone detector. It does not jam cell phone signals. It’s for use in situations that require no cell phones for security.

  3. Ray

    Hi Brian,
    I don’t see the ad for the cell phone finder. Is that because I have ad block installed or did you take it down?

  4. BaliRob

    “Bitcoin related businesses” Wonderful news absolutely great to know that this pernicious system can be attacked – let’s hope that it can be totally destroyed in order that evil b—-rds such as Ransomware will have to look for other means to extort us.

    1. null

      I think at some time we will all have to have two devices to use the internet – one for surfing and a separate one for doing business.

      1. Freddie

        Some of us are already doing just that.

        My main home machine is Ubuntu where I do all my slutty work like email and surfing.

        Then I have a minimalist separate physical machine, running Win7, where I only do financial work, since some of my financial tools only run on Windows.

        It is also powered down or at least wi-fi disabled except for the times when I’m actually doing financial work or updating Windows.

        All financial data is kept on an encrypted flash drive which is never plugged in except for the duration of time needing to access it.

        I’m probably still going to eventually be hacked but at least I gave it my best shot.

    2. Chris M

      Huh? This is an email service, used by Bitcoin related things, and other services in general. It has as much to do with Bitcoin as does your internet browser or Google search. Bitcoin in no way was attacked.

      Secondly, Bitcoin is just a currency, same as US dollars or euros. Even if there was no Bitcoin, malware would simply ask for payment in a different currency.

  5. Brian Sommers

    They say “evidence suggests that the cyber criminal accessed servers” and then say “Because SendGrid does not store customer payment cards we do know that payment card information was not involved.”

    Thieves can steal information that is not stored — they can capture it on the wire or in memory.

    1. timeless

      in this case, it wouldn’t be transferred.

      the problem is that you can use the stolen information to coerce victims into divulging CC details…

  6. Oliver

    So was that employee who had his/her account compromised using the two factor authentication they recommend to their customers?

  7. ninjaneer

    Hmmm…. Yet another story to somehow link hacking to Bitcoin. And a new Bitcoin reader would be like- OMG = bad. I mean SendGrid has bigger and more popular company they host… And besides Coinbase was not compromised.

  8. Eric R

    Too many ESP’s operating like mom & pop shops with as much security as using GUEST as their password. Live and learn. Bigger they are (marketer size) the cheaper they think they can buy services like email.

Comments are closed.