Today we are informing our customers about an incident of unauthorized access to Vultr marketing data at a third-party vendor we used prior to September 2022 for email marketing. This security incident exposed a limited set of customer marketing data as detailed below. Importantly, there was no impact to Vultr systems, customer subscriptions, or customer assets. Vultr systems, customer subscriptions, and customer assets remain secure and at no point were ever at risk.
ActiveCampaign is a third-party email marketing service provider Vultr used up until September 2022 for marketing communications and campaigns. In October 2022, Vultr transitioned to a new email marketing service provider and ended use of ActiveCampaign. Furthermore, on March 2, 2023 we initiated vendor off-boarding for ActiveCampaign in conjunction with the end of our contract on March 27, 2023.
On Thursday, March 16, 2023, Vultr’s Security Operations team determined that unauthorized access to a Vultr marketing user account at ActiveCampaign resulted in an export of 188,228 marketing records, a small minority of our total customer marketing records. The majority of the impacted records – approximately 114,000 – did not contain any personal information other than email address. Of the remaining records, the primary additional personal information exposed was first name, last name, and country.
On the morning of Friday, March 17, 2023, we received confirmation of these events from ActiveCampaign. As a result of the above, we have taken immediate steps to purge all remaining customer data from their platform.
What customers should know
None of Vultr’s systems, employees, or customer assets were compromised.
Because this was limited to a marketing data set at a third-party vendor, the following information was NOT compromised: account passwords, account bills, account history, account subscriptions, and other core Vultr account details. None of this information was available to ActiveCampaign, and was therefore never subject to compromise.
Importantly, all marketing communications since December 2022 from firstname.lastname@example.org, including all Vultr newsletters and campaign emails, are using our new service provider and are not affected by this event. In addition, all product and support communications coming directly from the Vultr platform are similarly unaffected by this event.
As part of this process, Vultr’s Security Operations team has reviewed Vultr’s security policies, procedures, and systems to confirm that our core platform and customer data remains secure.
Next steps for customers
Vultr customers should be diligent, and should inspect and confirm all communications that appear to come from Vultr. All users should be on high alert for any spear phishing attempts. Be vigilant about clicking on any links. If any email or communication seems suspicious, please submit a support ticket at the my.vultr.com portal requesting confirmation of its authenticity.
Be especially diligent if you receive a suspicious email directing you to change passwords or perform any actions for account-related activity. Vultr’s customer support team is on standby to assist with any questions that may arise.
Next steps for Vultr
Here at Vultr, security, compliance, and protection of our customers’ privacy and data is at the core of everything we do. We are committed to ensuring that bad actors do not compromise your identity, workloads, or business. It is for this reason that we maintain a regular and rigorous security review of third-party systems to minimize risk of external attack vectors.
All affected customers are receiving direct email communication beginning today. If you are a customer and have questions, please submit a support ticket at the my.vultr.com portal.