A staffer at popular email delivery system SendGrid was tricked by a hacker who used access granted to them to break into US-based cloud hosting provider ChunkHost.
The breach last weekend was described by ChunkHost as a "serious security incident" targeting two of its customers in "a really close call".
ChunkHost co-owner Nate Daiger said in a blog on the compromise his company had received a transcript of a chat between SendGrid's technical support group and an attacker who he said "was clearly someone trying to social engineer access to our account".
Despite obtaining word from SendGrid that it would not fall for such trickery again, a subsequent attack was successful.
SendGrid approved a simple terse request to change ChunkHost's registered email address from email@example.com to a .info domain, a move made in contravention to its security policies.
"Though SendGrid didn’t fall for [the first] attempt, we alerted them to the probing and asked them to please make sure that future social engineering attempts wouldn't work," Daiger said.
" ... it turns out that the policy was ignored this weekend, and someone managed to convince SendGrid over the phone to change the email address on the account. We got an email from them, but by that point it was already too late. The hacker had logged into SendGrid and taken control."
The attacker then activated a SendGrid feature to send blind carbon copy email for outgoing messages. They then reset passwords for two targeted customer accounts -- both described only as being involved in Bitcoins -- which were quietly sent to the .info email account.
But the attack was foiled as the customers used ChunkHost's two-factor authentication phone app.
"Our customers' accounts were protected and the attackers were stymied. But it was really close," Daiger said.
The attacker was kicked out within 20 minutes at which time ChunkHost disabled password resets, rebooted all sessions and cut SendGrid, opting instead for a local mail relay.
He said SendGrid had apologised for one of its staffers being lured in by the attackers.
"After the email address was changed, they were able to simply request a new password and gain account access," Daiger quoted SendGrid as saying.
"This should have never happened and we take things like this very seriously. I apologise that you've had to deal with this and I will make sure that we re-iterate with out (sic) staff that we have policies like that in place for a reason."