Ask HN: Has Brevo (formerly SendInBlue) been compromised?
I've been trying to figure out how it was that 20k crypto-bullshit spam messages have been "loaded by proxy" on my account.
I've made sure 2FA is enabled, I've made sure no other logins are active in my account, but still everytime I delete an API key from the admin panel a new one reappears a few minutes later.
I can't understand how this is happening unless they themselves have been compromised.
Waiting for 2 hours so far for a response from their support.
10 comments
[ 36.8 ms ] story [ 4808 ms ] thread``` Exceptional news for the XRP Community
The Foundation is delighted to set forth a 30-day reward program for the Ripple supporters and XRP holders.
Receive 30% more XRP on top of your holdings. Here's how to get your account topped up: ``` etc.
In the end it was my stupidity though that was the problem:
I had moved servers recently, the new server I was on was not respecting the .htaccess file within a .git directory to deny all requests. This must have exposed my API key for Brevo.
Lessons learned:
* don't assume security measures you assumed still worked actually do - test them!
* don't hard code important keys into code, use environment variables!
There may be some nuance between "been compromised" and "have a bug where not all sessions are invalidated". (As in, can anyone's account be compromised, or do they need a legit first login to keep coming back)
They told me they logged everyone out, yet the existing session I had continued to work.
I changed the password, AGAIN at their request, and now my account has been suspended.
Seriously pissed off right now with crypto-bros.
If you have any further questions or concerns regarding this matter, please do not hesitate to reach out to us on contact@brevo.com. We are here to provide any additional information and support you may need. Thanks and have a great day, your Brevo team