Lack of MFA May Have Enabled Sendgrid Account CompromiseEmail Service Provider Moving to Implement Additional Security Measures
Security professionals are expressing surprise that email service provider Sendgrid did not have multifactor authentication in place to protect its customer accounts, which may have enabled the compromise of a large number of accounts, followed by the sale data on the darknet.
See Also: Cyber Incident Response Guide
"It's actually quite shocking that an organization that works with business customers for marketing purposes didn't already have multifactor authentication in place for users, and implementing it as a requirement is a critical first step that should happen urgently," says Torsten George, cybersecurity evangelist with security firm Centrify.
Sendgrid's parent company, Twilio, tells security blogger Brian Krebs that the company is in the process of requiring multifactor authentication for all its accounts. The hacked accounts are being used in phishing and email-based malware attacks, Krebs reports.
"It's positive to see that parent company Twilio is already working on this," George says. "The Sendgrid hack is a reminder of the importance of identity management for all businesses."
Twilio creates APIs that businesses use to help them communicate with their customers through its platform using email, text and video, essentially make the company a middle man in the communications process.
The company has not publicly released any information on the number of accounts that were hacked or how they were compromised. Twilio lists Lyft, Airbnb and Netflix among its customers, and MediaPost reports the company signed a contract with 28 cities, states and universities to handle contract tracing for their COVID-19 programs covering about 150 million people.
A company spokesperson could not be immediately reached for additional comment.
Reusing Old Credentials
James McQuiggan, security awareness advocate at KnowBe4, notes it's important for businesses and consumers to change their password if they believe it was compromised. He says previously stolen credentials may have been used to gain access to the Twilio accounts.
"The account compromises may have occurred from previous exploits and attacks against breached organizations who also happen to use Sendgrid. Considering the users are logging in with their business email, the cybercriminals have collected millions of email and password accounts from other cyberattacks," McQuiggan says.
Fraudsters and cybercriminals take for granted that login credentials are reused and can use those to which they have access to conduct a brute force attack on Sendgrid's accounts, he says.
"Without MFA, the user account will never know someone is trying to log into Sendgrid with their account," McQuiggan notes.
George adds: "Sendgrid customers should immediately change their passwords, ensuring they are unique and complex. "They should also make sure any other accounts that used the same Sendgrid password are updated as well. This is because cybercriminals will use stolen passwords in credential stuffing attacks, which use breached details to break into other accounts using the same login information."