Leaked SendGrid API key — phishing via your domain

SendGrid keys let anyone send email as your domain. Attackers use leaked SendGrid keys to run phishing campaigns that pass SPF/DKIM/DMARC because they are actually sent from your infrastructure.

The next 60 seconds matter

The attacker sends phishing emails from your domain to your customer list (which they can enumerate through your marketing sender lists). DMARC passes because the emails are legitimate. Your domain reputation collapses within hours.

  • Send phishing emails from your domain
  • Enumerate and exfiltrate your marketing contact lists
  • Read historical email templates and sent-mail data
  • Delete sender identities to cover tracks

Rotation playbook

  1. SendGrid dashboard → Settings → API Keys → Delete the leaked key
  2. Regenerate and update every system using it
  3. Audit the Activity Feed for outbound emails in the past 24 hours
  4. If phishing detected: open support ticket, notify customers, rotate ALL domain-auth records

Prevent the next one

  • Restrict API keys to the minimum required scope (Mail Send only, not Full Access)
  • Enable IP Access Management to limit which IPs can use the key
  • Monitor sender reputation monthly via SendGrid's dashboard
  • Use subuser accounts to segregate domains
Pattern we scan for
SG.{22 chars}.{43 chars}