SendGrid email service hacked, customers told to reset passwords and DKIM keys

Most of us know about bulk email – it’s the blanket term which can be used in relation to the mountain of legitimate newsletter subscriptions and marketing emails we may have clogging up our inboxes, as well as the unsolicited junk messages, scams and phishing campaigns that spammers abuse us with.

What is less well known is what transactional email is. It’s the automated “Thank you for creating an account”, “Here are the details of your order”, “We have received your support request”-type messages that may be a little bit boring, but are an essential part of everyday online life.

Of course, if you’re a company running an online business, you don’t want any of your essential transactional emails falling into a spam bucket or failing to be sent for any reason. And that’s why you might hire a company which specialises in managing transactional emails, such as SendGrid.

SendGrid’s over 100,000 customers include firms big and small – including well-known names such as Airbnb, Foursquare, Spotify and Uber.

Sign up to our free newsletter.
Security news, advice, and tips.

And all of them will be alarmed to hear that SendGrid has today warned that a previously reported hack has turned out to be a much bigger deal than it initially feared.

As security blogger Brian Krebs reports, SendGrid warned last month that a single customer (Bitcoin exchange Coinbase) had had its SendGrid account compromised and used to launch phishing attacks on April 8.

Six weeks later, SendGrid has published more information that acknowledges that the hackers actually compromised one of its employee’s credentials, and that on three separate dates in February and March of this year was able to access customer “usernames, email addresses, and (salted and iteratively hashed) passwords for SendGrid customer and employee accounts.”

But that’s not all that the criminals may have stolen:

“In addition, evidence suggests that the cyber criminal accessed servers that contained some of our customers’ recipient email lists/addresses and customer contact information. We have not found any forensic evidence that customer lists or customer contact information was stolen. However, as a precautionary measure, we are implementing a system-wide password reset. Because SendGrid does not store customer payment cards we do know that payment card information was not involved.”

“Upon discovery, we took immediate actions to block unauthorized access and deployed additional processes and controls to better protect our customers, our employees, and our platform.”

So, although it has been impossible to confirm whether customer lists and contact information was extracted by the hackers, it clearly makes sense in such situations to assume the worst.

SendGrid is right to take that stance, uncomfortable as it might be. After all, it’s going to be much more awkward if they said that no such breach of contact information had occurred, only to have to admit that it definitely had at some later point.

Apologising for the inconvenience, SendGrid says it is asking all customers to reset their passwords (obviously you should make sure that the password is unique and hard to crack, and that you are not using the same password anywhere else on the net), and enable two-factor authentication to prevent unauthorised logins.

The firm also recommends the use of password managers such as LastPass, 1Password, and KeePass – a suggestion that I strongly endorse for businesses and home users alike.

Finally, approximately 600 SendGrid customers have custom DKIM keys that should also be updated to prevent abuse by online criminals:

“For the approximately 600 customers who have custom DKIM keys for sending mail, we are requesting that you generate new DKIM keys through our interface and update your DNS records to reflect the change. If you use custom DKIM keys, you will receive a separate email with instructions. For more information click here.”

SendGrid is clearly feeling rather burnt by the experience, and says that it is developing new features to harden the security of its platform, including IP allow-listing and enhanced two factor authentication.

No doubt it is also feeling rather red-faced for having claimed, back in April, that only one customer account had been compromised and taking umbrage at the New York Times for its report suggesting the security breach was more significant.

Turns out that it was SendGrid which underestimated the scale of the problem after all…

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.