SendGrid infosec chief eats humble pie, admits email service hacked

Marketing email distribution service SendGrid is asking customers to switch passwords after admitting it got hacked.

The move follows the realisation that a previously reported hack is a bigger deal than previously imagined. The initial alert was triggered after the SendGrid account of Bitcoin exchange Coinbase was compromised and abused to push a phishing attack.

Subsequent forensic and incident response work has revealed that hackers didn't just steal one set of account login credentials but the login details of a SendGrid worker. These purloined details were used to access “usernames, email addresses, and (salted and iteratively hashed) passwords for SendGrid customer and employee accounts” on at least three occasions during February and March this year.

Hackers may also have snatched customers’ recipient email addresses and contact information, creating a heightened risk of more plausible phishing scams for the interwebs at large in the process.

The practical upshot is that all customer accounts are potentially at risk of hijacking – especially if weak passwords are in play – hence the mandatory switch-up of both passwords and DomainKeys Identified Mail (DKIM)¹ keys (a small minority of around 600 SendGrid customers have custom DKIM keys).

SendGrid boasts more than 100,000 customers, including well-known internet firms such as Airbnb, Foursquare, Spotify and Uber. Its cloud-based email delivery services handle everything from transaction confirmations to friend requests, sign-up confirmations and email newsletters. SendGrid is apologising to customers for the inconvenience caused by the hack and promised to improve the security of its systems including IP whitelisting and enhanced two-factor authentication.

The New York Times broke the story that Coinbase had its Sendgrid credentials compromised three weeks ago, back in early April. Sendgrid took issue with the NYT for implying that it had suffered a platform-wide breach, publishing a blog post decrying the report as "inaccurate".

David Campbell, chief security officer at SendGrid, has since been obliged to backtrack on these combative comments and admit that incident response experts have uncovered reasons to be concerned – if not widespread abuse of potentially compromised login details. ®

Bootnote

¹DKIM is an email validation system designed to foil email spoofing, explained in greater depth here.