• by Ray Schultz , August 16, 2022

Mailchimp has clarified that it suspended several crypto-related accounts last week because of a recent attack on such brands, not because of the field they are in. In fact, it is reviewing its standard terms of use.  

“In response to a recent attack targeting Mailchimp’s crypto-related users, we’ve taken proactive measures to temporarily suspend account access for accounts where we detected suspicious activity while we investigate the incident further,” the company said in a blog post Friday. 

The news occurs as junior cloud Digital Ocean said some of its clients’ email addresses were exposed to attackers due to the attack on Mailchimp. 

Digital Ocean said it “decided to immediately migrate critical services away from Mailchimp to another email service provider.,” according to The Register. 

Mailchimp’s cutoff of crypto services apparently upset some crypto observers, who saw this as an enforcement of Mailchimp’s long-stated antipathy to crypto.

In its Acceptable Use policy published in 2018, Mailchimp wrote: “we cannot allow businesses involved in any aspect of the sale, transaction, exchange, storage, marketing or production of cryptocurrencies, virtual currencies, and any digital assets related to an Initial Coin Offering, to use MailChimp to facilitate or support any of those activities.” 

But Mailchimp said on Friday: “We did not suspend accounts based on their industry, and we are committed to continuing to serve crypto companies. We are reviewing our Standard Terms of Use and Acceptable Use Policy in light of our commitment to bringing innovative crypto solutions to our customers.”

Mailchimp continued: “We realize this may have caused uncertainty for our crypto-related users and their customers and apologize for the disruption. We are continuing our investigation and proactively providing impacted users with timely and accurate information throughout the process.”

The suspended customers included“self-custody crypto wallet Edge, crypto intelligence firm Messari, and Decrypt, which had been using Mailchimp for its newsletter for more than four years,” according to Decrypt. 

Messari's marketing lead Jared Ronis tweeted: "Not only was there zero warning, we can't even access our subscriber lists." 

Another apparent user, Ocarina, tweeted: “Lol, @Mailchimp suspended my new account to tell you all about drops because “because the content associated with your industry conflicts with our Acceptable Use Policy”—so, Twitter it is.” 

For its part, Digital Ocean is implementing two-factor authentication more widely, and improving “threat models and security visibility” for its SaaS and PaaS providers, The Register writes. 

“This is another example of a situation where a security incident at one point in the supply chain has caused significant issues for their customers," observes Erich Kron, security awareness advocate at KnowBe4. "Unfortunately, the Mailchimp incident may have potentially led to downstream breaches of DigitalOcean customers by generating password reset requests, through no fault of their own." 

Kron continues, "For cybercriminals, gaining access to an email service such as Mailchimp could reap huge benefits as they would be able to send phishing emails to customers from a known and trusted account. In the event DigitalOcean customers were to fall for a phishing attack stemming from the Mailchimp breach, the most likely scenario would be that the customer would be upset with DigitalOcean, not really knowing about Mailchimp. While useful, these sorts of vendor partnerships can unfairly taint an otherwise trustworthy brand, highlighting the importance of choosing vendors wisely."