We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

What Do I Do If My Mailgun Account Has Been Compromised?

If for any reason you believe your account has been compromised (suspicious behavior, unusual activity, etc.), or you receive a notification that your account has been disabled because it appears to have been compromised, make sure and reach out to our Support team right away. 

However, we want to go ahead and get you a head start as to our standard procedures for compromises; the following is essentially just what we'll be asking to help rectify and re-secure your account:

Step 1. Reset your Mailgun private API key and expire any old keys.

We'll show you how to do this below:

  1. First, log in to the Mailgun Control Panel (if you have not already done so).
  2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
  3. Next, click the API keys option. Alternatively, you can use this direct link
  4. Click the refresh icon(i.e. the two arrows forming a circle) to generate a new private API key.
  5. We require that you delete the old API key after the reset to maximize the account's security. 
  • Note: Make sure to refresh the page and click the Trash can icon Screen_Shot_2019-12-27_at_3.44.59_PM.png to immediately retire the former API key. Do this even if you don't usually send via API.                                              

Step 2. Reset your SMTP credentials for each domain 

We'll show you how to do this below:

  1. First, log in to the Mailgun Control Panel (if you have not already done so).
  2. Then, within the left-hand navigation pane, click the Sending option to expand its list of suboptions.
  3. Next, click the Domain settings suboption, and then click on the SMTP credentials tab.
  4. Ensure that the domain you wish to delete is displayed within the Domain drop-down list towards the upper-right portion of the page.
    Screen Shot 2022-09-11 at 6.58.43 PM.png
  5. To update the password, click the Reset password button.
  6. Confirm your password reset by clicking the Reset Password button in the pop-up modal.
  7. NOTE: The new SMTP password will be available within a dark-gray notification window that appears in the bottom-right portion of the Control Panel. Save this password in your application and in a secure password manager, as it will not be displayed again

Step 3. Reset the password for each user that has access to the Mailgun account.

Use the following link to request a password reset email for each user on your account; keep in mind, the link you send yourself expires after 20 minutes: 

https://login.mailgun.com/recovery/new

Step 4. Enable Two-Factor Authentication for each user that has access to the Mailgun account.

Check out this article for the full set of steps needed to complete this task. 

Step 5. Reach out to us and let us know once all the above steps have been completed.

Once we can confirm that the above steps have all been satisfied, we can go ahead and re-enable your account to get you back up and running!

Note: We also strongly recommend reaching out to your hosting service provider, as well as referring to any public repositories that you have, to be sure that this compromise is isolated to just your Mailgun account. 

Got Questions?

Mailgun by Sinch has answers! If you have any concerns or questions, please send us a Support ticket using the Support page within your Mailgun Control Panel.  Our Support Team will be happy to assist!