Simple Password Compromise on MailGun

scottalanmiller

We recently had an issue with a MailGun shutdown. Their claim was that our account was compromised. They could not produce any reason that they believed this to be so, they just claimed it. There weren't any email messages sent from it, and no log ins from anyone that shouldn't be there. So pretty suspicious in the first place.

At first they claimed that our API, which is ridiculously long, was compromised. Fishy. Then, later, when they learned that we just dropped them and moved to another vendor they claimed that it was our SMTP password that was compromised due to "simplicity of the password."

Now first of all, they should have a reason to believe that the account is compromised and not just claim it. The lack of evidence there was fishy. That they claimed the API was compromised, also fishy. That they changed their story later, way more fishy.

That they claim that this password was "too simple" is utterly ridiculous and basically means that their claim is that their system exposes the password somewhere because the brute force time to crack something like this would take many times longer than the entire time that the account had existed, and if they had the slightest protection against brute force attacks it would have been essentially impossible to crack.

The password was: 2UpeD6G4q9KhgYLm

Sixteen characters, fully random. That's a decades to crack password.

JasGot

@scottalanmiller Not their first time in this mess.

"At that point in time, we were able to determine that the root cause was due to a Mailgun employee’s account being compromised by an unauthorized user. We immediately closed the point of access to the unauthorized user and deployed additional technical safeguards to further protect this sensitive portion of our application."

https://www.mailgun.com/mailgun-security-incident

Holy cow, just google: mailgun compromise
They spend a lot of time discussing their issues.

Glad you moved away from them. They appear to be an unnecessary risk.

marcinozga

Damn, I just signed up with them yesterday. I need them for some apps I have deployed on my home server, now I'm worried because I had to give them cc info.

At least they support 2FA, so I give them some credit for that. Unlike most banks. And no, SMS or email 2FA support doesn't count as it's easily spoofed.

wrx7m

@marcinozga said in Simple Password Compromise on MailGun:

Damn, I just signed up with them yesterday. I need them for some apps I have deployed on my home server, now I'm worried because I had to give them cc info.

At least they support 2FA, so I give them some credit for that. Unlike most banks. And no, SMS or email 2FA support doesn't count as it's easily spoofed.

Just doing some site redesign stuff here. For e-commerce transaction messages (order status etc), we are trying out using a WP plugin to login to an office 365 account. I was thinking we should be using a 3rd party for it. We had used mandrill in the past and I am glad to know about mailgun and definitely won't be using them.

Dashrender

@marcinozga said in Simple Password Compromise on MailGun:

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

marcinozga

@Dashrender said in Simple Password Compromise on MailGun:

@marcinozga said in Simple Password Compromise on MailGun:

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

When someone breaks into your account, they most likely got your email credentials already. So when a service sends you 2nd factor codes to compromised email, it's pointless. 2FA principle was based on one thing that you know, and 2nd that you have. Email is not something you have, as it's accessible to anyone at any time. U2f key or phone with an app is something that only you have.

Dashrender

@marcinozga said in Simple Password Compromise on MailGun:

@Dashrender said in Simple Password Compromise on MailGun:

@marcinozga said in Simple Password Compromise on MailGun:

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

When someone breaks into your account, they most likely got your email credentials already. So when a service sends you 2nd factor codes to compromised email, it's pointless. 2FA principle was based on one thing that you know, and 2nd that you have. Email is not something you have, as it's accessible to anyone at any time. U2f key or phone with an app is something that only you have.

that's a pretty big assumption, that they already have your email credentials.

marcinozga

@Dashrender said in Simple Password Compromise on MailGun:

@marcinozga said in Simple Password Compromise on MailGun:

@Dashrender said in Simple Password Compromise on MailGun:

@marcinozga said in Simple Password Compromise on MailGun:

And no, SMS or email 2FA support doesn't count as it's easily spoofed.

OK SMS I get, but email?

When someone breaks into your account, they most likely got your email credentials already. So when a service sends you 2nd factor codes to compromised email, it's pointless. 2FA principle was based on one thing that you know, and 2nd that you have. Email is not something you have, as it's accessible to anyone at any time. U2f key or phone with an app is something that only you have.

that's a pretty big assumption, that they already have your email credentials.

When you target someone that's usually first step, gain access to email account.

Ambarishrh

we had similar issues with mailgun few months back and switched to sendgrid after that.

wrx7m

We are going back to Mandrill, as we already are using Mailchimp.

sully93

@scottalanmiller, which service did you go with after dropping MailGun? We are looking at a relay service and have MailGun on our list. This is a bit concerning that they shut you down like that. We're also looking at Postmark and SendGrid.

Obsolesce

Their biggest claim to fame is their SLA. Why would anyone even choose them in the first place?

scottalanmiller

@sully93 said in Simple Password Compromise on MailGun:

@scottalanmiller, which service did you go with after dropping MailGun? We are looking at a relay service and have MailGun on our list. This is a bit concerning that they shut you down like that. We're also looking at Postmark and SendGrid.

We made the call to just move to Zoho and get email hosted. We've been super happy with Zoho.