NOTICE OF DATA BREACH
We are writing to you because of an incident involving access to information associated with email logs stored by MailChannels. Although we are unaware of any actual misuse of your information, we are providing notice to you and other potentially affected customers about the incident.
On August 29th, 2022, a reputable, independent security researcher (the “Researcher”) informed us that some of our inbound and outbound email delivery logs were accessible on the public internet. Within 30 minutes, our team fixed the problem, which was related to an incorrectly configured access control list (ACL).
Timeline (all times in Pacific Daylight Savings Time)
August 24th, 2022 – 0700: ACL misconfiguration allows public access to logging clusters.
August 29th, 2022 – 0528: Report received from security researcher by email.
August 29th, 2022 – 0651: Report read by privacy office and team dispatched.
August 29th, 2022 – 0722: ACL fixed to remove public access to data.
What Information Was Involved?
After thoroughly examining the available system access logs, we do not believe anyone other than the Researcher gained access to our log data.
The Researcher shared some sample logs in his report, which we verified as genuine. This limited email logging data shared by the Researcher contains email server IP addresses, sender and recipient email addresses, email subject lines, SMTP authentication usernames, and various internal data we use to measure delivery performance.
During our investigation, we discovered that two other logging clusters were accessible, but we found no evidence that any data was retrieved from these clusters. One of the clusters that was not apparently accessed contains quarantined spam messages.
What Are We Doing?
The incorrect ACL that had granted public access to the logs was fixed 31 minutes after receiving the Researcher’s report. Since receiving the report, we have
examined our ACLs and other access control systems to ensure that no other systems are accessible;
strengthened our change management process by adding additional review steps before ACL changes can be made; and,
enabled a change monitoring service offered by our cloud provider that will make it far more difficult for an error like this to occur.
In the coming weeks and months, we will make additional improvements to further reduce the likelihood of a breach of our logs.
What Should MailChannels Customers Do?
Although the Researcher will be paid a bounty for his work, has a generally good reputation in the industry, and has promised to destroy the data he collected, we cannot guarantee that he has not or will not share the information with third parties. We believe that the primary use of this data by an adversary would be to craft phishing emails combining the sender and recipient address pairs from the logs and subject line information to generate deceptive emails. A secondary target would be to somehow brute force the ability to send emails from your MailChannels SMTP account; however, rate-limiting systems already limit an attacker’s ability to make an effective attack through brute-forcing.
Our Promise To You
As an email security provider, we take security very seriously, knowing that an incident like this harms our reputation and yours. Our team is upset that this happened, and they are working harder than ever to regain your trust.
If you have further questions regarding this incident, please do not hesitate to contact me personally at [email protected]
Chief Executive Office / Privacy Officer