Mailgun recently disclosed that an attacker gained access to a staff account. The details are a little muddy, but I think this is what happened:
- An attacker gained staff access to Mailgun.
- They used it to attack Reddit. (See this reddit thread.)
- Specifically, they compromised password reset email for /r/btc mods or the /u/tippr Bitcoin Cash bot or some other BTC/BCH-related sort of thing?
Details are pretty light, but I think this doesn't reflect well on Mailgun, since the lack of detail about how the attacker gained access implies internal controls are poor (i.e., the attacker might have just guessed a password). Mailgun's Security Privacy document suggests that they probably just give everyone full access to everything and only require a password ("using an assigned user name and password"), not MFA.
We currently use Mailgun for mail delivery in the Phacility cluster, as we disclose in our Data Use Policy. We also claim:
We will discontinue use of a service provider if we believe their policies are at odds with our own.
I wrote Mailgun this mean email:
I have a few questions about Mailgun's security policies as described in this document:
The document states:
"Mailgun will restrict the use of administrative access codes for customer accounts to its employees and other agents who need the access codes for the purpose of providing the Services. ... Mailgun personnel who use access codes shall be required to log on using an assigned user name and password."
Can you provide more information about how restrictive the internal access control was prior to late December, and how restrictive it is now? For example, did essentially all technical staff have access to the content of customer email circa December 25th? Do they still? Put another way: was this control meaningful, or did Mailgun implement policy and technical controls in such a way that essentially all technical staff "need" access to customer API keys to provide the service? Has the implementation of this control changed?
Does the second section quoted above mean that Mailgun did not require staff use MFA to access customer data prior to late December? Is Mailgun's policy still that a username and password (without additional controls like MFA) are sufficient for staff to access customer data?
That said, all the other outbound mail providers we've tried have also had major problems, and Mailgun may still be our least bad option. I don't think this incident is especially damning, the writeup just makes it sound extremely foreseeable.
(I'm slightly sympathetic to Mailgun here because I suspect most customers for these services are delivering enormous volumes of marketing mail, not small volumes of transactional mail, and Mailgun's support workload is probably dominated by customers doing mail marketing with very different expectations from customers delivering transactional/account email.)