Full Report
In March 2023, the "AI-first global cloud platform" Vultr disclosed a security incident at a third-party vendor. Dating back to the previous year, the incident was attributed to the ActiveCampaign email marketing service provider and resulted in the exposure of 188k unique email addresses. A small number of records also included name, IP address and country of origin. No Vultr systems or additional customer data were impacted. Vultr subsequently self-submitted the impacted data to HIBP.
Analysis Summary
# Incident Report: Vultr Customer Data Exposure via ActiveCampaign Vendor Breach
## Executive Summary
In March 2023, Vultr disclosed a security incident stemming from a breach at its third-party email marketing service provider, ActiveCampaign. The incident, which occurred in July 2022, resulted in the exposure of 188,000 unique email addresses belonging to Vultr customers, along with some associated names, IP addresses, and country data. No direct Vultr systems were compromised, and the data was subsequently submitted for inclusion in HIBP.
## Incident Details
- **Discovery Date:** March 2023 (Date of disclosure by Vultr)
- **Incident Date:** July 2022 (Date breach occurred, as reported by ActiveCampaign/Vultr context)
- **Affected Organization:** Vultr (Data exposed) via Third-Party Vendor (ActiveCampaign)
- **Sector:** Cloud Computing / IT Services
- **Geography:** Global (Vultr's customer base)
## Timeline of Events
### Initial Access
- **Date/Time:** July 2022 (Approximate timeframe of the vendor incident)
- **Vector:** Compromise of ActiveCampaign systems (Third-Party Vendor Breach)
- **Details:** Attackers successfully breached the ActiveCampaign email marketing platform used by Vultr.
### Lateral Movement
- **Date/Time:** N/A
- **Vector:** Not applicable in the context of Vultr's direct systems. Movement occurred within the compromised vendor's environment.
### Data Exfiltration/Impact
- **Date/Time:** N/A
- **Vector:** Data extraction from ActiveCampaign databases.
- **Details:** Exposure of approximately 188,000 unique email addresses. A small subset also included associated names, IP addresses, and country of origin data.
### Detection & Response
- **Date/Time:** March 2023 (Vultr disclosed the incident)
- **Vector:** Vendor notification and internal investigation.
- **Details:** Vultr publicly disclosed the incident. Vultr subsequently self-submitted the impacted data to HIBP (November 20, 2025 listed as HIBP entry date, likely a future or placeholder date in the source context, but the disclosure was March 2023).
## Attack Methodology
*Note: As this was a vendor breach, the methodology specific to ActiveCampaign is inferred.*
- **Initial Access:** Likely focused on gaining access to ActiveCampaign's production or shared environment hosting Vultr customer lists.
- **Persistence:** Not documented.
- **Privilege Escalation:** Not documented.
- **Defense Evasion:** Not documented.
- **Credential Access:** Not documented.
- **Discovery:** Not documented.
- **Lateral Movement:** Within ActiveCampaign's infrastructure.
- **Collection:** Targeting customer management or marketing databases storing Vultr contact information.
- **Exfiltration:** Theft of customer PII stored by the vendor.
- **Impact:** Unauthorized access and exposure of customer contact data.
## Impact Assessment
- **Financial:** Not quantified in the source material, but involved costs related to incident response and public disclosure.
- **Data Breach:** Exposure of **187,900** unique email addresses. A small subset also included names, IP addresses, and countries of origin.
- **Operational:** **None** reported on Vultr's core cloud systems or service delivery.
- **Reputational:** Negative public impact stemming from the delayed disclosure (incident in July 2022, disclosed March 2023) and reliance on a third party.
## Indicators of Compromise
*Vendor-specific details (ActiveCampaign) are not provided in the summary.*
- **Network indicators:** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Inferred unauthorized data access/extraction from ActiveCampaign servers during July 2022.
## Response Actions
- **Containment measures:** Likely involved isolating Vultr data/connections with ActiveCampaign post-discovery, though specifics were not detailed.
- **Eradication steps:** Not documented.
- **Recovery actions:** Vultr provided notification/disclosure to customers and self-submitted the exposed data to HIBP for consumer awareness.
## Lessons Learned
- **Key takeaways:** Over-reliance on third-party vendors, especially those handling customer communication data, introduces significant risk to the primary organization's security posture and customer trust.
- **What could have been done better:** Earlier detection and disclosure of the July 2022 incident by the reporting chain (vendor to Vultr, Vultr to public).
## Recommendations
- **Prevention measures for similar incidents:** Implement stricter vendor risk management (VRM) programs, focusing on audit rights and immediate breach notification clauses for High-Risk Processors (like marketing/email services). Ensure critical customer data is segmented and not routinely accessible by broad marketing toolsets. Users should change passwords relevant to any account where they reuse credentials.