Leaked Mailgun API key — same phishing risk as SendGrid

Mailgun API keys let attackers send email from your domain with valid SPF/DKIM/DMARC. Rotate immediately; same attacker playbook as SendGrid.

The next 60 seconds matter

Identical to SendGrid: domain-authenticated phishing, contact-list exfiltration, template theft.

Send phishing with valid DMARC from your domain
Exfiltrate recipient lists
Read historical email logs

Rotation playbook

Mailgun dashboard → Settings → API Keys → Regenerate
Update every application environment
Review Logs for unusual send volume in the past 24 hours

Prevent the next one

Use sending keys per-domain rather than the account API key
Enable webhook signing to catch forged events
Set daily send caps per domain

Pattern we scan for

key-{32 hex chars}

Leaked Mailgun API key — same phishing risk as SendGrid · Securie