If for any reason you believe your account has been compromised (suspicious behavior, unusual activity, etc.), or you receive a notification that your account has been disabled because it appears to have been compromised, make sure and reach out to our Support team right away.
However, we want to go ahead and get you a head start as to our standard procedures for compromises; the following is essentially just what we'll be asking to help rectify and re-secure your account:
Step 1. Investigate
In the interest of protecting the Mailgun by Sinch platform and customers such as yourself, we ask you to investigate your applications for any signs of leaked credentials and report back any findings to us.
We are especially interested in any instances of vulnerable Wordpress sites and/or exposed PHP environment configurations (Apache, Laravel, NodeJS, and similar frameworks) you might be able to find.
Here are a few helpful resources on some of the most common causes of leaked credentials:
* Laravel: https://www.mailgun.com/blog/it-and-engineering/a-word-of-caution-for-laravel-developers/
* Symfony: https://www.synacktiv.com/en/publications/looting-symfony-with-eos.html
* General PHP Frameworks:https://beaglesecurity.com/blog/vulnerability/revealing-phpinfo.html
We have been able to better protect our platform and uncover the root cause of many exploits bad actors are using to abuse Mailgun accounts thanks to the helpful input of customers like yourself. We take security very seriously and have put in exhaustive work to ensure our platform remains safe for our customers. We are always looking for ways to improve the security of our platform and proactively fight against abuse, even if the vulnerabilities are completely external to our platform. Your input helps tremendously, and we are grateful for your time and attention in helping our team better protect our customers!
Step 2. Delete the impacted API key(s) and replace with new API key(s)
The API Key can be seen only once: within a pop-up modal after the key's creation. As such, in addition to configuring the API Key in your sending application(s), store the API Key in a secure location (such as your organization's credential/password manager) for future reference.
Consequently, if you lose the API Key, Mailgun will not be able to view and/or disclose the API Key at a later date. The only solution for this situation is to create a new API Key, configure your sending application(s) with the new API Key, and store the new API Key in a secure location for future reference.
To delete an existing API Key and then create a new API Key:
- In the top-right corner of the Mailgun Control Panel, click your Profile Menu to expand the drop-down list of options.
- Next, click the API Security option. Alternatively, you can use this direct link.
- The resulting page displays the API Keys tabbed section, which lists the account's API Keys (as well as the Verifications Public Key and HTTP Webhook Signing Key).
- For the existing API Key, click the trash icon and then click the Delete button in the pop-up modal to confirm deletion of the existing API Key.
- To create a new key to replace the former key, click the Add new key button and then click the Create Key button in the pop-up modal to confirm creation of the new API Key.
We require that you delete the old API key(s) affected by any type of compromise to maximize the account's security.
Step 3. Reset your SMTP credentials for each domain
We'll show you how to do this below:
- First, log in to the Mailgun Control Panel (if you have not already done so).
- Then, within the left-hand navigation pane, click the Sending option to expand its list of suboptions.
- Next, click the Domain settings suboption, and then click on the SMTP credentials tab.
- Ensure that the domain for which you wish to reset the SMTP credentials is displayed within the Domain drop-down list towards the upper-right portion of the page.
- To update the password, click the Reset password button.
- Confirm your password reset by clicking the Reset Password button in the pop-up modal.
- NOTE: The new SMTP password will be available within a dark-gray notification window that appears in the bottom-right portion of the Control Panel. Save this password in your application and in a secure password manager, as it will not be displayed again.
We also encourage you to review all SMTP users for each domain to verify that they're all authorized, and remove any you don't recognize.
Step 4. Reset the password for each user that has access to the Mailgun account.
Use the following link to request a password reset email for each user on your account; keep in mind, the link you send yourself expires after 20 minutes:
Step 5. Enable Two-Factor Authentication for each user that has access to the Mailgun account.
Check out this article for the full set of steps needed to complete this task.
Step 6. Reach out to us and let us know once all the above steps have been completed.
Once we can confirm that the above steps have all been satisfied, we can go ahead and re-enable your account to get you back up and running!
Note: We also strongly recommend reaching out to your hosting service provider, as well as referring to any public repositories that you have, to be sure that this compromise is isolated to just your Mailgun account.
Sinch Mailgun has answers! If you have any concerns or questions, please send us a Support ticket using the Support page within your Mailgun Control Panel. Our Support Team will be happy to assist!