Yesterday we had a minor security breach whereby one of the API Keys we use for sending test emails became public. No customer data was exposed, and we patched the issue quickly.

How did this happen?

On Friday, July 23rd, one of the API keys we use for sending test emails was accidentally published to a public Github repository.

Shortly after it was published, we received a notification from GitGuardian, a service designed to catch this kind of mistake.

We removed the key in question from the repository and added a gitignore rule to prevent it from being accidentally added back.

Unfortunately, it appears someone had already acquired the key, and they subsequently used it to send some fake "Password Changed" emails through our server.

What impact did it have?

About 100 of these "Password Changed" emails were sent from our domain to seemingly random email addresses; fortunately, the message did not contain any malicious content or links.

No customer data was exposed.

How was it resolved?

In addition to removing and banning the key from the Github repository, we revoked the API key and replaced it with another, plugging the hole.

Avatar for Robin Geall
Robin Geall
Began at: