Email has become a critical tool for transactions — from the sending of Uber receipts to delivery of hotel coupons. Naturally, companies that send mission-critical consumer emails often turn to third-party firms like SendGrid to manage the delivery of millions of messages. Of course, as third parties that maintain trusted relationships with both consumers and corporations, such email providers are an obvious target for hackers. Imagine the damage a criminal could do if he could believably pose as a giant tech firm and send out emails to all consumers? Such emails could ask millions of users to reset their passwords, for example, or update their credit card information, or even send bitcoins.
Such attacks are now under way. SendGrid, which has 180,000 customers and sends emails for giants like Uber and Spotify, said this week that a hacker who broke into company systems earlier this month did more damage than initially believed.
On April 9, the firm confirmed to The New York Times that a Bitcoin-related client account had been compromised and used to send phishing emails to its customers. But on Monday, SendGrid said additional investigation revealed that one of its own employees’ accounts had been compromised and used to access several SendGrid systems in February and March.
“These systems contained usernames, email addresses, and . . . passwords for SendGrid customer and employee accounts,” the firm said on its blog. “In addition, evidence suggests that the cyber criminal accessed servers that contained some of our customers’ recipient email lists/addresses and customer contact information.”
SendGrid says it has not found evidence that customer lists were stolen, but it “cannot rule out the possibility.”
The firm is urging its clients to change passwords and enable two-factor authentication.
It takes only a little creativity to imagine all the damage a hacker who managed to steal customer email lists and credentials could do. But a harrowing tale told by cloud provider Chunkhost.com on its website offers a cautionary tale. Co-owner Nate Daiger wrote last year that a hacker talked SendGrid into changing its point of contact email from email@example.com to firstname.lastname@example.org, then used that change to retrieve a password reset email on two bitcoin-using clients. Fortunately, both clients used two-factor authentication, Daiger wrote.
“Our customers’ accounts were protected and the attackers were stymied. But it was really close,” he wrote.
Corporate clients who use third-party email services should be on notice: hackers are actively targeting such accounts. Meanwhile, here’s an important notice to consumers: You can’t believe everything you read, even an email that appears to come from a company you trust. Hackers can sent out very believable-looking phishing emails with requests for password changes or payment information. You should always be skeptical of such emails, but now, you have new reasons to be so. When feasible, avoid clicking on links in emails and instead visit websites directly by typing the site address into your web browser’s address bar.
If you have given up sensitive information to a phisher, it’s important to take steps to control the damage. If it’s an account number, report your account info as stolen so the bank or card issuer can close the account, or take similar steps to stop or undo any instances of fraud. Keep a close eye on your account statements, and check your credit reports and credit scores for signs that someone has opened an account in your name, or is using an existing one. You can get your credit reports for free every year from AnnualCreditReport.com, and you can get your credit scores for free from several sources, including Credit.com.
More on Identity Theft:
- Identity Theft: What You Need to Know
- 3 Dumb Things You Can Do With Email
- How Can You Tell If Your Identity Has Been Stolen?