Leaked Resend API key — modern sender, same risk

Resend is the transactional-email service of choice for many Next.js apps. A leaked Resend key lets the attacker send email from your verified domain.

The next 60 seconds matter

The attacker sends transactional-style phishing from your verified domain. Resend's anti-abuse catches part of this; the remainder lands in inboxes.

  • Send phishing from your verified domain
  • Enumerate recent emails sent (Resend dashboard shows a feed)

Rotation playbook

  1. resend.com/api-keys → Delete the leaked key
  2. Create a new key scoped to the minimum required permission
  3. Review the Emails tab for unauthorized sends

Prevent the next one

  • Use full_access keys sparingly; prefer sending-only scope
  • Rotate keys quarterly
  • Verify only the domains you actively send from
Pattern we scan for
re_{...}