• by Ray Schultz , August 28, 2020

SendGrid customer passwords have been cracked and sold to spammers for use in phishing and malware attacks, according to an article published today on Krebs on Security. 

One individual who uses the handle “Kromatix” is offering over 400 compromised SendGrid user accounts, Krebs writes. 

The problem appears to be that SendGrid, a Twilio brand, does not yet require two-factor authentication, but the company is working on it. 

"Twilio believes that requiring 2FA for customer accounts is the right thing to do, and we’re working towards that end,” says Steve Pugh, chief security officer at Twilio. 

Pugh adds, “2FA has proven to be a powerful tool in securing communications channels. This is part of the reason we acquired Authy and created a line of account security products and services.”

He continues that “Twilio, like other platforms, is forming a plan on how to better secure our customers’ accounts through native technologies such as Authy and additional account level controls to mitigate known attack vectors." 

According to Krebs, Kromatix wrote in an August 23 sales thread, “I have a large supply of cracked Sendgrid accounts that can be used to generate an API key which you can then plug into your mailer of choice and send massive amounts of emails with ensured delivery.”  

Kromatix added, “Sendgrid servers maintain a very good reputation with [email service providers] so your content becomes much more likely to get into the inbox so long as your setup is correct.” 

Although Twilio seeks to address the problem, the incident has prompted critical comment from observers.  

"The Sendgrid hack is a reminder of the importance of identity management for all businesses,” says Torsten George, cybersecurity evangelist at Centrify. 

George says, “It's actually quite shocking that an organization that works with business customers for marketing purposes didn't already have multi-factor authentication (MFA) in place for users, and implementing it as a requirement is a critical first step that should happen urgently.” 

However, George concludes: "It's positive to see that parent company Twilio is already working on this."

Krebs writes that “when a Sendgrid customer account gets hacked and used to send malware or phishing scams, the threat is particularly acute because a large number of organizations allow email from Sendgrid’s systems to sail through their spam-filtering systems.”

George notes that “cybercriminals will use stolen passwords in credential stuffing attacks, which use breached details to break into other accounts,” and says SendGrid customers should change their passwords.