54 million users of popular email service providers were put at risk due to the leaking ofAPI keys that allowed threat actors to perform unauthorized actions, such as sending emails, accessing mailing lists and personal data.
Email marketing companies give users a variety of services, such as sending and receiving emails through their domain, creating emails and email campaigns, and tracking their performance.
The email service providers use a piece of software to allow their applications to communicate across various platforms without human intervention Users, developers, and calling programs use anAPI key toauthenticate themselves.
CloudSEK’s BeVigil research team found that about half of the 600 apps on the Playstore are leaking the email service providers’ email service providers. According to the report, some of the companies that use the mentioned platforms are as follows: Users’ data could be exploited by the leak of the key.
Mailchimp’s users’ private data could be accessed
According to the statistics provided by the company, Mailchimp has over 14 million users and 600 million emails sent daily.
According to the report, more than 29 million users were affected by the leak. The US has the most affected users followed by the UK and Spain. Threat actors may be able to read email conversations, read the sender’s and receiver’s emails, and read the actual message with the help of the API keys.
The researchers were able to obtain information about a specific store’s customers to track their orders and view e-commerce data. The perpetrators could get the details of all the promo codes used by the MailChimp shops, as well as the ability to create new promo codes with a discount rate.
The leak exposed several campaign email lists containing clients’ personally identifiable information, such as full names, full residence addresses, email IDs, latitude, and longitude. The compromised data included 7.5 million customers’ email lists and 1.3 million store and order data.
The exposed leak could allow 3rd party applications connected to a MailChimp account to start a fake campaign or send emails on behalf of the company.
Mailgun’s data could be used for phishing attacks
Mailgun platform gives brands the ability to send and receive emails through their domain. The Mailgun users’ data was compromised by the leak. The users in the US were affected.
The leak would allow a threat actor to send and read emails from the Mailgun customers, fetch all the statistics calculated in hourly, daily, and monthly resolution, and retrieve customers’ mailing lists. They were able to find Simple Mail Transfer Protocol credentials and addresses. It causes a lot of concern as it could be used to launch a fraudulent campaign.
SendGrid’s APIs could be used to hijack accounts
SendGrid platform is a cloud-based email marketing service. The majority of affected users were from the US, UK and India.
The platform’s customers’ keys could be used to send emails on behalf of their clients, which would increase the billing. The security loophole would allow threat actors to gain access to users’ accounts and modify their two-factor authentication.
The security issue allows the perpetrators to add an unlimited amount of malicious addresses and even remove legitimate user addresses blocking their own access to their accounts.
Keeping APIs safe
The companies and affected apps have been notified by CloudSEK. New application components can be integrated into existing architecture. According to researchers in the report, its security has become critical.
The team tells developers not to put the keys into their applications. It should use secure coding and deployment practices, like standardizing review procedures, rotating and hiding keys and using a vault.
For over 500 days, Shoemaker Ecco leaks over 60GB of data.
The FCC wants to record a $300 million fine against the campaign.
Okta acknowledges a problem with the company’s code repository.
The skin-whitening product app contains customer data.
The most notorious hacker of the Kremlin will face justice.
Please subscribe to our newsletter.