Mailgun Security Incident and Important Customer Information
Written by Josh Odom
Categories: What's New
2 minute read time
On January 3, 2018, Mailgun became aware of an incident in which a customer’s API key was compromised and immediately began diagnostics to help determine the cause and the scope of impact.
At that point in time, we were able to determine that the root cause was due to a Mailgun employee’s account being compromised by an unauthorized user. We immediately closed the point of access to the unauthorized user and deployed additional technical safeguards to further protect this sensitive portion of our application.
Mailgun has now completed its diagnostic of accounts that were affected and has notified each of the affected users. At this time, we believe less than 1% of our customer base was potentially affected. If you were not directly notified by Mailgun regarding this incident, then your account was not affected. We are engaging with a third-party security team to complete an additional audit of this incident to validate our findings.
Finally, we’d like to assure our customers and partners that we take security at Mailgun very seriously. We are using this as an opportunity to further evaluate the security of our platform to better serve and protect our customers. We will provide an update upon the completion of our investigation.
Questions You May Have
Who was affected?
Only a small subset of Mailgun accounts were impacted. We have directly notified all affected users. If you did not receive a notification email, your account was not among those affected.
What do I need to do to protect my account?
If you were notified that your account was affected, we advise that you do the following to protect your account from unauthorized access:
1) Rotate your Mailgun API keys (click here for more info on how this process works)
2) Change your SMTP username and passwords (this article shows you where to manage your SMTP credentials)
Was my account billing or credit card information compromised?
No. Customer payment information was not compromised.