SendGrid confirms hack, issues mass password reset

The emailing service confirmed it anticipates many more users could be affected than first thought after an employee account was accessed.

(Image: SendGrid)

Email delivery service SendGrid confirmed more users than it first thought are affected by a security breach last month.

In a blog post, the company admitted one of its own employees' accounts was "compromised" by an attacker, which was used to gain access to several of its internal systems on three separate dates in February and March.

The systems contained usernames and email addresses of both SendGrid employees and customers, but said the passwords were salted and hashed -- a method of scrambling the data to prevent it from being readable to humans.

As the company does not store credit card data, the company said payment data was not taken.

Although the company said there was no forensic evidence to show any data was stolen, the company said it has begun a mass password reset and asked around 600 customers to generate new digital signatures, known as DKIMs.

The hack was first reported earlier this month when the company said a "Bitcoin-related client" was the target of a hack. The New York Times revealed it was used by Coinbase, a virtual currency exchange. The Coinbase account was used to send out phishing emails in bulk, which is said to have ensnared a SendGrid employee's account.

SendGrid's breach is limited compared to recent attacks on Target, Home Depot, or JP Morgan, the company. But it promised that it would improve security, including an "enhanced" two-factor authentication system.