Overview
If for any reason you believe your account has been compromised (suspicious behavior, unusual activity, etc.), or you receive a notification that your account has been disabled because it appears to have been compromised, make sure and reach out to our Support team right away.
However, we want to go ahead and get you a head start as to our standard procedures for compromises; the following is essentially just what we'll be asking to help rectify and re-secure your account.
Step 1: Investigate
In the interest of protecting the Mailgun by Sinch platform and customers such as yourself, we ask you to investigate your applications for any signs of leaked credentials and report back any findings to us.
We are especially interested in any instances of vulnerable Wordpress sites and/or exposed PHP environment configurations (Apache, Laravel, NodeJS, and similar frameworks) you might be able to find.
Here are a few helpful resources on some of the most common causes of leaked credentials:
- Laravel: https://www.mailgun.com/blog/it-and-engineering/a-word-of-caution-for-laravel-developers/
- Symfony: https://www.synacktiv.com/en/publications/looting-symfony-with-eos.html
- General PHP Frameworks:https://beaglesecurity.com/blog/vulnerability/revealing-phpinfo.html
We have been able to better protect our platform and uncover the root cause of many exploits bad actors are using to abuse Mailgun accounts thanks to the helpful input of customers like yourself. We take security very seriously and have put in exhaustive work to ensure our platform remains safe for our customers. We are always looking for ways to improve the security of our platform and proactively fight against abuse, even if the vulnerabilities are completely external to our platform. Your input helps tremendously, and we are grateful for your time and attention in helping our team better protect our customers!
Step 2: Delete the impacted API key(s) and replace with new API key(s)
Important Note!
The Mailgun API Key can be seen only once: within a pop-up modal after the key's creation. As such, in addition to configuring the Mailgun API Key in your sending application(s), store the Mailgun API Key in a secure location (such as your organization's credential/password manager) for future reference.
Consequently, if you lose the Mailgun API Key, Mailgun will not be able to view and/or disclose the Mailgun API Key at a later date. The only solution for this situation is to create a new Mailgun API Key, configure your sending application(s) with the new Mailgun API Key, and store the new Mailgun API Key in a secure location for future reference.
To delete an existing Mailgun API Key and then create a new Mailgun API Key:
- In the top-right corner of the Mailgun Control Panel, click your Profile Menu to expand the drop-down list of options.
- Next, click the API Security option. Alternatively, you can use this direct link.
- The resulting page displays the Verifications Public Key, HTTP Webhook Signing Key, and most importantly for our present purpose, the Mailgun API Keys. For the existing Mailgun API Key, click the trash icon .
- Now, click the Delete button in the pop-up modal to confirm deletion of the existing API Key.
- Next, to create a new key to replace the former key, click the Add new key button.
- Finally, type a description and click the Create Key button in the pop-up modal to confirm creation of the new Mailgun API Key.
We require that you delete the old API key(s) affected by any type of compromise to maximize the account's security.
Step 3: Reset your SMTP credentials for each domain
We'll show you how to do this below:
- First, log in to the Mailgun Control Panel (if you have not already done so).
- Then, within the left-hand navigation pane, click the Send product and then click the Sending option to expand its list of suboptions.
-
Next, click the Domain settings suboption, and then click on the SMTP credentials tab.
-
Ensure that the domain for which you wish to reset the SMTP credentials is displayed within the Domain drop-down list towards the upper-right portion of the page.
- To update the password, click the Reset password button.
- Confirm your password reset by clicking the Reset Password button in the pop-up modal.
-
NOTE: The new SMTP password will be available to copy within a dark-gray notification window that appears in the bottom-right portion of the Control Panel. Copy and save this password in your application and in a secure password manager, as it will not be displayed again.
- We also encourage you to review all SMTP users for each domain to verify that they're all authorized, and remove any you don't recognize.
Step 4: Reset the password for each user that has access to the Mailgun account
If your account is using Sinch Identity to login (screenshots of this process here and a Sinch ID badge will be on at least one of your users here), each user on the account will need to go through the following three steps:
- To accomplish this, navigate towards the top-right of the page, click the Profile drop-down menu, and then click the Manage my Sinch ID option.
- You should be taken to My Profile in a page called Sign-in & Security. Click the Change password button on the page.
- An email with password reset instructions will be sent to the user's email address. Complete the instructions in this email to reset the password.
Otherwise, if your account does not use Sinch Identity to login, please refer to this article for the full set of steps needed to complete this task. Use the following link to request a password reset email for each user on your account; keep in mind, the link you send yourself expires after 20 minutes:
Note: Do not use the above link if your account uses Sinch Identity because it will completely break your ability to login to the Control Panel.
Step 5: Enable Two-Factor Authentication for each user that has access to the Mailgun account
If your account is using Sinch Identity to login (screenshots of this process here and a Sinch ID badge will be on at least one of your users here), each user on the account will need to go through the following three steps:
- To accomplish this, navigate towards the top-right of the page, click the Profile drop-down menu, and then click the Manage my Sinch ID option.
- You should be taken to My Profile in a page called Sign-in & Security. Click the Configure 2FA button on the page.
- On the resulting page, you can choose to setup 2FA through an authenticator app, or through SMS.
Otherwise, if your account does not use Sinch Identity to login, please refer to this article for the full set of steps needed to complete this task. Note: Do not use the above steps in the article if your account uses Sinch Identity because it will completely break your ability to login to the Control Panel.
Step 6: Reach out to us and let us know once all the above steps have been completed
Once we can confirm that the above steps have all been satisfied, we can go ahead and re-enable your account to get you back up and running!
Note: We also strongly recommend reaching out to your hosting service provider, as well as referring to any public repositories that you have, to be sure that this compromise is isolated to just your Mailgun account.
Need Support?
Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support page of your Mailgun Control Panel, and we'll be with you shortly!