Delayed delivery of some emails

Incident Report for ChargeOver

Postmortem

Incident details

From July 25th 14:00 PST to July 29 20:41 PST, some emails sent via ChargeOver were delayed.

Only emails sent via ChargeOver’s email provider were affected (emails sent via ChargeOver’s custom SMTP, custom SendGrid, Mailgun, and Mandrill integrations were not impacted.)

Root cause

On two separate days in July, malicious users logged into two separate ChargeOver accounts, and used them to send a large number of spam/scam emails.

The ChargeOver accounts were customers of ChargeOver - no

Both ChargeOver accounts used extremely easy to guess passwords, used those passwords across many other applications beyond ChargeOver, and did not have 2FA/MFA enabled within ChargeOver. Malicious actors were able to guess the ChargeOver users' passwords to log in to ChargeOver. ChargeOver itself was not hacked and did not suffer any sort of security breach.

This led to ChargeOver’s primary email provider (SendGrid) temporarily placing a hold on some outgoing email from ChargeOver.

ChargeOver worked closely with SendGrid to restore normal email delivery.

Incident timeline

  • Early July - two malicious actors guess ChargeOver user passwords (or re-use passwords from other applications), and send many malicious emails via ChargeOver
  • July 12 - 06:22 CT - ChargeOver’s monitoring automatically alerts our team of unexpected activity on two ChargeOver accounts, and we notify the affected customers and force password changes on the affected accounts
  • July 13 - 08:25 CT - ChargeOver begins work towards future mitigation strategies
  • (July 13 - July 29) - ChargeOver pushed out 19 separate updates through this 2-week period to mitigate impact, protect against future attacks, and migrate some critical pieces of infrastructure away from the affected SendGrid account)
  • July 25 - 16:00 CT - SendGrid places a suspension/hold on one of ChargeOver’s email accounts, but does not notify us
  • July 26 - 11:55 CT - ChargeOver staff reach out to SendGrid because we are seeing some email being delayed
  • July 29 - 22:41 CT - SendGrid removes the hold/suspension on the account, and normal email delivery returns

Remediation plan

We’ve identified a number of items to be addressed to protect against future attacks, and mitigate impact.

The most important item is to encourage all ChargeOver customers to enable 2FA/MFA on their ChargeOver account. Enabling 2FA/MFA is the quick, easy, free, and the single most important thing anyone can to do protect against any sort of unauthorized access to any application you use online. ChargeOver customers will see a push for 2FA/MFA adoption across all ChargeOver accounts.

Items already accomplished during the July 13 - July 29th period:

  • Improved / more proactive monitoring of spam reports
  • Added rate limiting for sending email through the ChargeOver admin panel
  • Move critical email infrastructure to separate, independent SendGrid accounts

Future plans:

  • Enforce rate limiting for email sending through the REST API
  • Enforce rate limiting for email sending through the ChargeOver.js API
  • Add various rate limits into a number of in-app endpoints
Posted Dec 02, 2024 - 15:23 CST

Resolved

Email delivery is operating normally.

A postmortem will follow.
Posted Jul 30, 2024 - 10:50 CDT

Monitoring

The email delays have been resolved. We are monitoring delivery of emails.

Some users may still experience some delays and/or higher-than-normal bounce rates for a short amount of time.

Further updates and a postmortem will follow.
Posted Jul 30, 2024 - 07:24 CDT

Update

We have diverted all email delivery to a secondary email account.

Some delivery delays are still occurring. While we are working to resolve this, some emails sent may not be sent with correctly aligned DKIM policies/signatures.

We continue to work with our email provider to resolve this.
Posted Jul 29, 2024 - 15:49 CDT

Update

We are diverting some email delivery to a secondary email account.

Some delivery delays are still occurring. While we are working to resolve this, some emails sent may not be sent with correctly aligned DKIM policies/signatures.
Posted Jul 29, 2024 - 13:38 CDT

Update

Emails of the following types are being delivered without any delays:

* invites sent to new admin users
* admin password resets
* scheduled reports
* any sort of admin notifications (e.g. notifications when a quote is accepted, when custom domains are configured, etc.)

We are aware that many of our customers are seeing significant delivery delays for transactional emails (e.g. invoice due emails, payment receipt emails, etc.).

We are working with our email provider to get the delays resolved as soon as possible.

If your account is using your own SMTP server or your own SendGrid, Mailgun, or Mandrill account, your account is unaffected by the delivery delays.
Posted Jul 29, 2024 - 12:27 CDT

Update

We have identified the problem, and are working with our email provider to resolve it.

At this time, we expect all emails to be sent successfully, but some delivery delays may occur.
Posted Jul 29, 2024 - 07:38 CDT

Identified

We have identified the problem, and are working with our email provider to resolve it.

At this time, we expect all emails to be sent successfully, but some delivery delays may occur.
Posted Jul 28, 2024 - 07:36 CDT

Investigating

Some customers are experiencing a delay in delivery of outgoing emails from ChargeOver. Our team is working with our email provider to investigate the delay.

At this time, we expect all emails to be sent successfully, but some delivery delays may occur.
Posted Jul 27, 2024 - 22:09 CDT
This incident affected: Email Sending.
Current Status Powered by Atlassian Statuspage