We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

What Do I Do If My Mailgun Account Has Been Compromised?

If for any reason you believe your account has been compromised (suspicious behavior, unusual activity, etc.), or you receive a notification that your account has been disabled because it appears to have been compromised, make sure and reach out to our Support team via the Support option of your Mailgun control panel right away. 

However, we want to go ahead and get you a head start as to our standard procedures for compromises; the following is essentially just what we'll be asking to help rectify and re-secure your account:

Step 1. Reset your Mailgun private API key and expire any old keys.

Inside the Mailgun Control Panel:

  • Navigate towards the top-right of the page next to your username, click the down-arrow, and then select the API Keys option. Alternatively, you can use this direct link
  • On the following page, under the API keys section, you'll see both your Private and Public API keys.
  • Click on the refresh icon (two arrows forming a circle) to reset your API key.
  • Note: Make sure to refresh the page and click the Trash can icon to immediately retire the former API key. Do this even if you don't usually send via API.  Screen_Shot_2019-12-27_at_3.44.59_PM.png                                                                   

Step 2. Reset your Postmaster and Custom SMTP credentials for each domain 

Inside the Mailgun Control Panel (options displayed down the left-hand side on a dark column), use the following instructions:

  • Click on Sending on the left-hand side of your Mailgun dashboard.
  • On the following page, click on your specific domain.
  • Click on Domain Settings, then click on SMTP Credentials.
  • To update the password, click Reset Password.
  • Confirm your password reset by clicking Reset Password in the pop-up.
  • NOTE: Your SMTP credential's new password will be displayed on the top-right corner within a green pop-up. Save this password, as it will not be exposed again

Step 3. Reset the password for each user that has access to the Mailgun account.

Use the following link to request a password reset email for each user on your account; keep in mind, the link you send yourself expires after 20 minutes: 


Step 4. Enable Two-Factor Authentication for each user that has access to the Mailgun account.

Check out this article for the full set of steps needed to complete this task. 

Step 5. Reach out to us and let us know once all the above steps have been completed.

Once we can confirm that the above steps have all been satisfied, we can go ahead and re-enable your account to get you back up and running!


Note: We also strongly recommend reaching out to your hosting service provider, as well as referring to any public repositories that you have, to be sure that this compromise is isolated to just your Mailgun account. 

If any questions arise along the way, and you haven't already, feel free to contact our Support team via the Support option in your Mailgun control panel!