mailgun Error":"exposed account credentials

Asked 27/12, 2018 at 23:36 Answered 11/8 at 15:39

I am attempting to validate an email but when I follow the mailgun docs and have code such as follows

https://documentation.mailgun.com/en/latest/user_manual.html#email-validation

EMAILPUBLICVALIDATIONKEY = 'my sexy key'

def validateemail(emailaddress):
    return requests.get(
        "https://api.mailgun.net/v3/address/validate",
        auth=("api", EMAILPUBLICVALIDATIONKEY ),
        params={'address': emailaddress}
    )

I get the response

["{"Error":"exposed account credentials"}"]0: "{"Error":"exposed account credentials"}"length: 1__proto__: Array(0)

Fimbria answered 27/12, 2018 at 23:36 Comment(3)

That error looks like you accidentally leaked your API keys or something and they got deactivated. But I've never had that error before so I really can't be certain. – Bred 27/12, 2018 at 23:37

damn. Ok it was in my last github push I bet. Thanks man make it an answer so I can give you those sexy points – Fimbria 27/12, 2018 at 23:49

GitHub recently announced a feature where they will notify companies when API keys get exposed. I'm still trying to find a link and will update my answer if I ever find it. I don't THINK Mailgun was on that list. But they could have been added. – Bred 28/12, 2018 at 0:0

I haven't actually gotten this error in MailGun before. But I'm assuming exposed account credentials means that your API key got exposed and they deactivated it in order to try to protect you.

Kinda unrelated, but GitHub recently released a feature where they will scan commits for API keys and tokens and notify the company that it was exposed. Doesn't look like as of posting this MailGun is on that list, but there is also a slim chance since it's in beta that list hasn't been updated. https://help.github.com/articles/about-token-scanning/

Bred answered 27/12, 2018 at 23:57 Comment(1)

I can confirm that Mailgun do get notified - I have a student who uploaded his code containing the Mailgun API key, and his Mailgun account was suspended... he did this repeatedly (with a new Mailgun account each time!) until we informed him otherwise :-) – Cosmism 15/5, 2019 at 9:18

This is most likely due to exposing a Mailgun API key on Github. I had the API key in a file and commented it out but still got flagged. If you file a ticket on Mailgun, a reply will be sent with these instructions:

    Due to the compromise, you will need to take a few steps to secure your Mailgun account:

    - Remove the repository from Github or making the repository private. A new commit will not overwrite the previous commit history which contains the password.
    - Please log in to the Mailgun Control Panel and reset your Mailgun account password. Click your email address in the top right, "Edit Account Info" -> "Password Change" section.
    - Enable 2 Factor Authentication. Click your email address in the top right > Security > Two-Factor Authentication section.
    - Reset your Mailgun API key. Under "Account Settings" -> "Security" click the refresh symbol to generate a new API key.
    - Reset your SMTP credentials. Go to the "Domains" tab and repeat the following process for each domain listed in this view.

Wingspan answered 22/5, 2019 at 15:33 Comment(0)

I don't THINK Mailgun was on that list. But they could have been added.

It is official now (May 23rd, 2019): "Token scanning"

Token scanning is now generally available in all public repositories.

Additionally, token scanning now supports detection of new token types from Alibaba Cloud, Mailgun, and Twilio.

The full list is on "About token scanning".
See more at "Token scanning".

Sacking answered 23/5, 2019 at 16:27 Comment(0)

You need to go to your Mailgun account, a banner will say that your account has been suspended, then you have to contact support to unlock it

Ardeb answered 4/2, 2020 at 21:46 Comment(0)

I exposed sandbox API key and they made me change API keys on all apps that are part of the acccount. I'm talking really large number of apps which were not compromised by sharing sandbox key and which resulted in significant redeployment cost becasue irrelevant key was exposed. If you need transaction mailing service go for something else than mailgun.

Chalcis answered 11/8 at 15:39 Comment(0)

Recommended topics

Hot tags