Yesterday afternoon, the SendGrid account of a Bitcoin-related customer was compromised and used to send a phish, baiting them to transfer Bitcoins to multiple bad actor accounts, promising interest payments. We worked with the customer to help them recover control of their account and to minimize the damage of the attack.
This incident was an isolated attack on one SendGrid customer. A NYT Bits Blog post has reported that users of other Bitcoin-related businesses have been targeted this week with phishing attacks via other email service providers as well.
SendGrid encourages ALL of our customers to enable two-factor authentication, which can effectively prevent many attacks.
SendGrid customers should also make sure that they are using a unique, random, strong password and store it in a password vault like Keepass, 1Password, LastPass, etc. Do not reuse passwords across websites.
Finally, we note that the original NYT Bits Blog post on April 9 related to this incident was inaccurate, and implied that SendGrid had incurred a platform-wide breach. The story has now been updated to reflect that only a single SendGrid customer account was compromised. Additionally, the blog post stated that the Chunkhost incident occurred just three weeks ago, when in fact it occurred over a year ago in March of 2014. That incident was unrelated to this attack and had a different root cause. Since that time, SendGrid has updated its security protocols such that SendGrid Support employees can no longer make changes to the email addresses or passwords of any of our customers.
As always, we encourage any feedback or questions to be directed to email@example.com.