We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

What Do I Do If My Mailgun Account Has Been Compromised?

If for any reason you believe your account has been compromised (suspicious behavior, unusual activity, etc.), or you receive a notification that your account has been disabled because it appears to have been compromised, make sure and reach out to our Support team right away. 

However, we want to go ahead and get you a head start as to our standard procedures for compromises; the following is essentially just what we'll be asking to help rectify and re-secure your account:

Step 1. Investigate

In the interest of protecting the Mailgun by Sinch platform and customers such as yourself, we ask you to investigate your applications for any signs of leaked credentials and report back any findings to us.

We are especially interested in any instances of vulnerable Wordpress sites and/or exposed PHP environment configurations (Apache, Laravel, NodeJS, and similar frameworks) you might be able to find. 

Here are a few helpful resources on some of the most common causes of leaked credentials:

* Laravel: https://www.mailgun.com/blog/it-and-engineering/a-word-of-caution-for-laravel-developers/
* Symfony: https://www.synacktiv.com/en/publications/looting-symfony-with-eos.html
* General PHP Frameworks:https://beaglesecurity.com/blog/vulnerability/revealing-phpinfo.html

We have been able to better protect our platform and uncover the root cause of many exploits bad actors are using to abuse Mailgun accounts thanks to the helpful input of customers like yourself. We take security very seriously and have put in exhaustive work to ensure our platform remains safe for our customers. We are always looking for ways to improve the security of our platform and proactively fight against abuse, even if the vulnerabilities are completely external to our platform. Your input helps tremendously, and we are grateful for your time and attention in helping our team better protect our customers!

 

Step 2. Reset your Mailgun private API key and expire any old keys.

We'll show you how to do this below:

  1. First, log in to the Mailgun Control Panel (if you have not already done so).
  2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
  3. Next, click the API keys option. Alternatively, you can use this direct link
  4. Click the refresh icon(i.e. the two arrows forming a circle) to generate a new private API key.
  5. We require that you delete the old API key after the reset to maximize the account's security. 
  • Note: Make sure to refresh the page and click the Trash can icon Screen_Shot_2019-12-27_at_3.44.59_PM.png to immediately retire the former API key. Do this even if you don't usually send via API.                                              

Step 3. Reset your SMTP credentials for each domain 

We'll show you how to do this below:

  1. First, log in to the Mailgun Control Panel (if you have not already done so).
  2. Then, within the left-hand navigation pane, click the Sending option to expand its list of suboptions.
  3. Next, click the Domain settings suboption, and then click on the SMTP credentials tab.
  4. Ensure that the domain you wish to delete is displayed within the Domain drop-down list towards the upper-right portion of the page.
    Screen Shot 2022-09-11 at 6.58.43 PM.png
  5. To update the password, click the Reset password button.
  6. Confirm your password reset by clicking the Reset Password button in the pop-up modal.
  7. NOTE: The new SMTP password will be available within a dark-gray notification window that appears in the bottom-right portion of the Control Panel. Save this password in your application and in a secure password manager, as it will not be displayed again

We also encourage you to review all SMTP users for each domain to verify that they're all authorized, and remove any you don't recognize.

Step 4. Reset the password for each user that has access to the Mailgun account.

Use the following link to request a password reset email for each user on your account; keep in mind, the link you send yourself expires after 20 minutes: 

https://login.mailgun.com/recovery/new

Step 5. Enable Two-Factor Authentication for each user that has access to the Mailgun account.

Check out this article for the full set of steps needed to complete this task. 

Step 6. Reach out to us and let us know once all the above steps have been completed.

Once we can confirm that the above steps have all been satisfied, we can go ahead and re-enable your account to get you back up and running!

Note: We also strongly recommend reaching out to your hosting service provider, as well as referring to any public repositories that you have, to be sure that this compromise is isolated to just your Mailgun account. 

Got Questions?

Mailgun by Sinch has answers! If you have any concerns or questions, please send us a Support ticket using the Support page within your Mailgun Control Panel.  Our Support Team will be happy to assist!