Overview
In today's digital landscape, account security is paramount. If you suspect that your account has been compromised, or have received a communication from Twilio SendGrid regarding the same, it's crucial to act swiftly to mitigate any potential damage. This guide provides a structured approach to sanitizing your account, analyzing logs, and conducting a thorough Root Cause Analysis, if needed, to prevent future incidents.
Product
SendGrid Email API and SendGrid Marketing Campaigns
User Account Permission/Role(s) Required
Primary administrator with Administration permissions.
Issue
Your API key is a powerful credential that grants access to SendGrid's capabilities. Unfortunately, bad actors may attempt to steal it and use your account to send large volumes of fraudulent emails, often impersonating trusted institutions.
Common Causes of Compromise
- Accounts may be compromised in several ways, including:
- Exposed or inadvertently shared API keys.
- Laravel applications running in debug mode, revealing credentials.
- Internal credential sharing through insecure channels.
- Outdated or improperly secured integrations (e.g., WordPress, cPanel)
Taking the right steps now can help protect your account and your recipients.
Procedure
Account Sanitization Steps
If you believe your Twilio SendGrid account has been compromised or exposed due to a security incident, please take the following immediate actions:
1. Delete all API keys
- Got to your SendGrid console.
- Navigate to Settings on the left navigation bar, and then select API Keys.
- Click the action menu in the same row as the key you want to delete. Select Delete.
This will delete the key permanently, making it inactive. SendGrid will reject any subsequent API calls using this deleted API key.
If you want to rotate the API keys via API, please follow these steps: Rotate all API keys.
2. Change all the passwords
Unified Login
Twilio's Unified Login feature allows you to manage your credentials seamlessly across multiple Twilio products, including SendGrid and Segment.
- Access the Twilio Console: Visit the Twilio login page at www.twilio.com/login .
- Initiate Password Reset: Click on "Forgot Your Password?" and follow the instructions to receive a password reset email.
- Reset Your Password: Use the link in the email to set a new password.
Changing your password through the SendGrid UI
- From the homepage, click the drop-down menu in the top-left corner and select Account Details — or go to Settings and choose Account Details from there.
- Scroll to the Password section and click the edit icon.
- Enter your current password, then enter and confirm your new password.
- Click Save to apply the changes.
Resetting your password through the Forgot Password Service
- Navigate to the SendGrid login page
- Click Forgot Password
- Enter your SendGrid username.
- Follow the step by step instructions to reset your password.
3. Account Teammates
Review your account's Teammates:
- Go to Settings and click on Teammates.
- You'll see a list of all current teammates, including their username, email address, first name, and last name.
- If you notice a teammate you did not add, click the action menu next to their name and select Delete to remove them.
Note: Free accounts can only have one teammate.
4. 2FA enablement
If you created your account after March 2024, 2FA is likely enabled by default. If not, or to ensure it's active:
- Go to Settings and click Two-Factor Authentication.
- On this page, you'll see an overview of your 2FA settings, including any configurations for credentialed users.
- Click Add Two-Factor Authentication.
- Choose your preferred authentication method: either the Authy App or text message (SMS).
- Enter your country code and phone number to complete setup.
Note: Each user must enable 2FA for their account individually.
Next Steps After Account Sanitization
Once you’ve completed the initial security cleanup, it’s important to review and implement additional protective measures to help prevent future incidents.
Queue Management
To support a smooth account reactivation, any pending emails in your queue will be cleared. Please note:
- Unsent legitimate emails will not be delivered and cannot be recovered.
- You will need to resend any important emails manually.
If you have questions or need support, don’t hesitate to contact our Support team.
IP access management
IP Access Management allows you to restrict access to your Twilio SendGrid account based on specific IP addresses.
When enabled:
- Only connections from approved IP addresses can access the SendGrid UI, API, and SMTP relay.
- All other IPs will be automatically blocked.
To enable IP Access Management: Navigate to Settings > IP Access Management in your SendGrid dashboard.
- You’ll see an informational message under Allow Listed IP Addresses until at least one IP is added.
- Once you add an IP, IP Access Management will be enabled.
Under Recent Access Attempts, you can view IPs that have recently tried to access your account, along with:
- First and most recent attempt dates
- IP location
- Access method (UI, API, etc.)
For more details, visit our IP Access Management documentation.
Application & Integration Security
Ensure that all applications or SendGrid integrations you use are secure and up to date. This includes:
- Web frameworks (e.g., WordPress)
- Administrative tools (e.g., cPanel)
Outdated software is a common target for malicious actors. Keeping everything current reduces your vulnerability.
For guidance on securing your applications and integrations, please refer to our Application Security Best Practices document.
Log & Email Activity Monitoring
To help keep your account secure and ensure reliable email delivery, we strongly recommend regularly reviewing your Logs and Email Activity Feed. These tools are key for spotting unusual behavior, identifying potential threats, and maintaining healthy sending practices.
Using the Email Activity Feed
The Email Activity Feed gives you detailed visibility into your account’s sending history over the past 30 days. It allows you to:
- Troubleshoot delivery issues with clear, sequential event data for each message.
- Search and filter by subject line, metadata, and more to quickly locate specific messages.
- Export data as a CSV file for deeper analysis or record-keeping.
- Access up to 30 days of email history with an account upgrade.
- Use the API to call all events related to a specific message (requires additional storage add-on).
You can access the Email Activity Feed directly from your SendGrid console. For more detailed guidance, see the Email Activity Feed documentation.
Monitoring with the Email Activity API
For programmatic access, the Email Activity API provides robust endpoints to help you query message events and sending data at scale. This is especially useful for custom dashboards or automated monitoring tools.
What to Look For
When reviewing your logs and email activity, keep an eye out for any of the following indicators of suspicious activity:
- Unrecognized API Keys used to send emails.
- Unknown email addresses sending from your account.
- Unusual subject lines that don’t match your typical communications.
- Unexpected domains appearing in your sending history.
If you notice anything unusual or need help interpreting your logs, please reach out to our Support team.
Additional Security Measures
After your account has been reactivated, it’s important to thoroughly review your setup and take extra steps to strengthen your overall security posture.
Here are key recommendations:
- Scan Your Devices: Run a full malware and antivirus scan on any computers or devices used to access Twilio services. This helps ensure they haven’t been compromised.
- Secure Your Website:
- Close unused ports and remove unnecessary or outdated files.
- Ensure your website platform and all integrations (such as plugins, APIs, or third-party apps) are fully updated.
- Audit Permissions and Tokens:
- Review your website’s full permission structure.
- Make sure no Authentication Tokens or credentials are stored in plain text or exposed publicly.
- Consider Professional Help:
- Engaging a trusted third-party security firm can help identify vulnerabilities, harden your environment, and ensure your systems are fully secure.