Blog Layout

MailChimp, Mailgun, and Sendgrid API leak endangered over 54m users

Jan 14, 2023

Leaked API keys of three popular email service providers allowed threat actors to perform various unauthorized actions such as sending emails, accessing mailing lists and personal data, deleting API keys, and modifying two-factor authentication, hence putting 54 million users at risk.

Email marketing companies provide users with various services, like sending, validating, and receiving emails through their domain, creating emails and email campaigns, and tracking the performance of marketing campaigns.

The email service providers use a piece of software called API (Application Programming Interface) to allow their applications to communicate across various platforms without human intervention. An API key is a unique identifier users, developers, or calling programs utilize to authenticate themselves.

CloudSEK’s BeVigil research team uncovered that about 50% of apps on Google Playstore from 600 examined are leaking API keys of three email service providers – MailChimp, Mailgun, and Sendgrid. According to the report, the mentioned platforms are used by such companies as Spotify, Uber, Airbnb, RazorPay, Slack, Reedit, and Stripe. The API key leak could potentially lead to the exploitation of users’ data.

 

Mailchimp’s users’ private data could be accessed

 

Mailchimp is one of the most popular email marketing services on the market, with around 14 million users and 600 million emails sent through the platform daily, according to the statistics provided by the company.

According to the report, 29,308,710 Mailchimp users were affected by the discovered API key leak. The highest number of affected users are in the US, followed by the UK and Spain. The API keys could potentially allow a threat actor to read email conversations, accessing the sender’s and receiver’s emails, subject line, and the actual message.

Screenshot from CloudSek's Report
Screenshot from CloudSek’s Report

The researchers also managed to obtain information about a specific store’s customers to track their orders and view e-commerce data, including full names, email IDs, shipping addresses, billing addresses, latitude, and longitude. The perpetrators could also fetch the details of all the promo codes used by the MailChimp shops, along with the ability to create new promo codes with any discount rate.

The leak exposed multiple campaign email lists containing clients’ personally identifiable information (PII), such as full names, full residence addresses, email IDs, IP addresses, latitude, and longitude. Researchers revealed that the compromised data included 7.5 million customers’ email lists and 1.3 million store and order data.

The uncovered leak is of particular danger, as API keys could serve in authorizing 3rd party applications connected to a MailChimp account and start a fake campaign or send emails on behalf of the company.

Mailgun’s data could be used for phishing attacks

 

Mailgun platform provides email API services enabling brands to send, validate, and receive emails through their domain at scale. According to the report, the API leak compromised 6,798,665 Mailgun users’ data. Mainly, the users in the US were affected, followed by Russia and Brazil.

Researchers note that the leak would allow a threat actor to send and read emails sent by the Mailgun customers, fetch all the statistics calculated in hourly, daily, and monthly resolution in the UTC timezone, and retrieve customers’ mailing lists. Also, they were able to find out Simple Mail Transfer Protocol (SMTP) credentials and IP addresses. It causes most concerns, as it could be used to launch a phishing campaign.

SendGrid’s APIs could be used to hijack accounts

 

SendGrid platform, providing cloud-based email marketing services, was also affected by the leak. 18,143,455 affected users were mainly based in the US, followed by UK and India.

The platform’s customers’ API keys could be used as a tool to send emails on behalf of the clients, significantly increasing the billing. Also, the security loophole would allow threat actors to create API Keys, control IP addresses used to access users’ accounts, and modify two-factor authentication (2FA).

This security issue is dangerous because it enables the perpetrators to add an unlimited amount of malicious IP addresses and even remove legitimate user IP addresses blocking their own access to their accounts.

Keeping APIs safe

 

CloudSEK has notified the involved companies and the affected apps about the hardcoded API keys. “In modern software architecture, APIs integrate new application components into existing architecture. So its security has become imperative,” say researchers in the report.

The team advises software developers to avoid embedding API keys into their applications. It should follow secure coding and deployment practices, like standardizing review procedures, rotating and hiding keys, and using a vault.

Security Lapse by Microsoft Employees Exposes Internal Passwords

26 Apr, 2024
In continuation of Microsoft’s series of data security incidents, employees accidentally exposed internal data to the public. The leak exposed an unprotected Azure storage server containing code, scripts, and configuration files. Microsoft has announced that it has fixed a security breach that exposed internal company credentials and files to the open internet. The breach was first discovered by security researchers from cybersecurity firm SOC Radar. According to their report, an internal error resulted in an Azure storage server without password protection being given public access. The exposed data was primarily related to Microsoft’s Bing search engine, including configuration files, code, and scripts that employees used to access a range of internal systems and databases. Consequently, bad actors could identify and access locations for Microsoft's internal data. So far, it has not been made clear how long the data has been exposed. Anuj Mudaliar Assistant Editor - Tech, SWZD opens a new window opens a new window Anuj Mudaliar is a content development professional with a keen interest in emerging technologies, particularly advances in AI. As a tech editor for Spiceworks, Anuj covers many topics, including cloud, cybersecurity, emerging tech innovation, AI, and hardware. When not at work, he spends his time outdoors - trekking, camping, and stargazing. He is also interested in cooking and experiencing cuisine from around the world.

AT&T experienced data breach that impacted 51 million customers (No one is immune)

26 Apr, 2024
AT&T is notifying 51 million former and current customers, warning them of a data breach that exposed their personal information on a hacking forum. However, the company has still not disclosed how the data was obtained. These notifications are related to the recent leak of a massive amount of AT&T customer data on the Breach hacking forums that was offered for sale for $1 million in 2021. When threat actor ShinyHunters first listed the AT&T data for sale in 2021, the company told BleepingComputer that the collection did not belong to them and that their systems had not been breached. Last month, when another threat actor known as 'MajorNelson' leaked the entire dataset on the hacking forum, AT&T once again told BleepingComputer that the data did not originate from them and their systems were not breached. After BleepingComputer confirmed that the data belonged to AT&T and DirectTV accounts, and TechCrunch reported AT&T passcodes were in the data dump, AT&T finally confirmed that the data belonged to them. While the leak contained information for more than 70 million people, AT&T is now saying that it impacted a total of 51,226,382 customers. "The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode," reads the notification. "To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier." BleepingComputer contacted AT&T as to why there is such a large difference in impacted customers and was told that some of the people had multiple accounts in the dataset. "We are sending a communication to each person whose sensitive personal information was included. Some people had more than one account in the dataset, and others did not have sensitive personal information," AT&T told BleepingComputer. The company has still not disclosed how the data was stolen and why it took them almost five years to confirm that it belonged to them and to alert customers. Furthermore, the company told the Maine Attorney General's Office that they first learned of the breach on March 26, 2024, yet BleepingComputer first contacted AT&T about it on March 17th and the information was for sale first in 2021. While it is likely too late, as the data has been privately circulating for years, AT&T is offering one year of identity theft protection and credit monitoring services through Experian, with instructions enclosed in the notices. The enrollment deadline was set to August 30, 2024, but exposed people should move much faster to protect themselves. Recipients are urged to stay vigilant, monitor their accounts and credit reports for suspicious activity, and treat unsolicited communications with elevated caution. For the admitted security lapse and the massive delay in verifying the data breach claims and informing affected customers accordingly, AT&T is facing multiple class-action lawsuits in the U.S. Considering that the data was stolen in 2021, cybercriminals have had ample opportunity to exploit the dataset and launch targeted attacks against exposed AT&T customers. However, the dataset has now been leaked to the broader cybercrime community, exponentially increasing the risk for former and current AT&T customers. Update 4/10/24: Added statement from AT&T about discrepancy in numbers. BILL TOULAS Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Home Depot Data Compromised Through Third-Party SaaS Misconfiguration

26 Apr, 2024
Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party SaaS vendor inadvertently exposing a subset of employee data. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. A Home Depot software vendor suffered a data breach leading to the compromise of an undisclosed number of employees. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party software vendor inadvertently exposing a subset of employee data. Reportedly, the breach was caused by a misconfigured software-as-a-service (SaaS) application.
More Posts
Share by: