Simple Password Compromise on MailGun

JasGot

@scottalanmiller Not their first time in this mess.

"At that point in time, we were able to determine that the root cause was due to a Mailgun employee’s account being compromised by an unauthorized user. We immediately closed the point of access to the unauthorized user and deployed additional technical safeguards to further protect this sensitive portion of our application."

https://www.mailgun.com/mailgun-security-incident

Holy cow, just google: mailgun compromise
They spend a lot of time discussing their issues.

Glad you moved away from them. They appear to be an unnecessary risk.

marcinozga

Damn, I just signed up with them yesterday. I need them for some apps I have deployed on my home server, now I'm worried because I had to give them cc info.

At least they support 2FA, so I give them some credit for that. Unlike most banks. And no, SMS or email 2FA support doesn't count as it's easily spoofed.

wrx7m

@marcinozga said in Simple Password Compromise on MailGun:

Damn, I just signed up with them yesterday. I need them for some apps I have deployed on my home server, now I'm worried because I had to give them cc info.

At least they support 2FA, so I give them some credit for that. Unlike most banks. And no, SMS or email 2FA support doesn't count as it's easily spoofed.

Just doing some site redesign stuff here. For e-commerce transaction messages (order status etc), we are trying out using a WP plugin to login to an office 365 account. I was thinking we should be using a 3rd party for it. We had used mandrill in the past and I am glad to know about mailgun and definitely won't be using them.

Dashrender

@marcinozga said in Simple Password Compromise on MailGun:

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

marcinozga

@Dashrender said in Simple Password Compromise on MailGun:

@marcinozga said in Simple Password Compromise on MailGun:

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

When someone breaks into your account, they most likely got your email credentials already. So when a service sends you 2nd factor codes to compromised email, it's pointless. 2FA principle was based on one thing that you know, and 2nd that you have. Email is not something you have, as it's accessible to anyone at any time. U2f key or phone with an app is something that only you have.

Dashrender

@marcinozga said in Simple Password Compromise on MailGun:

@Dashrender said in Simple Password Compromise on MailGun:

@marcinozga said in Simple Password Compromise on MailGun:

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

When someone breaks into your account, they most likely got your email credentials already. So when a service sends you 2nd factor codes to compromised email, it's pointless. 2FA principle was based on one thing that you know, and 2nd that you have. Email is not something you have, as it's accessible to anyone at any time. U2f key or phone with an app is something that only you have.

that's a pretty big assumption, that they already have your email credentials.

marcinozga

@Dashrender said in Simple Password Compromise on MailGun:

@marcinozga said in Simple Password Compromise on MailGun:

@Dashrender said in Simple Password Compromise on MailGun:

@marcinozga said in Simple Password Compromise on MailGun:

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

When someone breaks into your account, they most likely got your email credentials already. So when a service sends you 2nd factor codes to compromised email, it's pointless. 2FA principle was based on one thing that you know, and 2nd that you have. Email is not something you have, as it's accessible to anyone at any time. U2f key or phone with an app is something that only you have.

that's a pretty big assumption, that they already have your email credentials.

When you target someone that's usually first step, gain access to email account.

Ambarishrh

we had similar issues with mailgun few months back and switched to sendgrid after that.

wrx7m

We are going back to Mandrill, as we already are using Mailchimp.

sully93

@scottalanmiller, which service did you go with after dropping MailGun? We are looking at a relay service and have MailGun on our list. This is a bit concerning that they shut you down like that. We're also looking at Postmark and SendGrid.

Obsolesce

Their biggest claim to fame is their SLA. Why would anyone even choose them in the first place?

scottalanmiller

@sully93 said in Simple Password Compromise on MailGun:

@scottalanmiller, which service did you go with after dropping MailGun? We are looking at a relay service and have MailGun on our list. This is a bit concerning that they shut you down like that. We're also looking at Postmark and SendGrid.

We made the call to just move to Zoho and get email hosted. We've been super happy with Zoho.