Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Has Brevo (formerly SendInBlue) been compromised?
14 points by richrichardsson on May 19, 2023 | hide | past | favorite | 10 comments
I've been trying to figure out how it was that 20k crypto-bullshit spam messages have been "loaded by proxy" on my account.

I've made sure 2FA is enabled, I've made sure no other logins are active in my account, but still everytime I delete an API key from the admin panel a new one reappears a few minutes later.

I can't understand how this is happening unless they themselves have been compromised.

Waiting for 2 hours so far for a response from their support.



If you've double-checked that logout/invalidation doesn't help, you could try the twitter support... "Does anyone know a security contact at Brevo? #infosec" That's usually a good way to turn some heads.


Hi there, we appreciate your diligence in keeping us informed about potential security breaches, and we are happy to address your concerns. After thoroughly investigating the matter, we can confidently assure you that there has been no security breach at Brevo. The issue mentioned in this thread appears to be isolated and specific to this case.

If you have any further questions or concerns regarding this matter, please do not hesitate to reach out to us on contact@brevo.com. We are here to provide any additional information and support you may need. Thanks and have a great day, your Brevo team


> I can't understand how this is happening unless they themselves have been compromised.

There may be some nuance between "been compromised" and "have a bug where not all sessions are invalidated". (As in, can anyone's account be compromised, or do they need a legit first login to keep coming back)


So I finally got some responses from support.

They told me they logged everyone out, yet the existing session I had continued to work.

I changed the password, AGAIN at their request, and now my account has been suspended.

Seriously pissed off right now with crypto-bros.


Right, something seriously fishy going on though. These API keys get generated after a few minutes of me deleting them, and then a new email gets sent. I'm seriously stressed out by all this.


Did you check the logs of your account in the dashboard? Can you see the email sent?


Yes, they are all like this:

``` Exceptional news for the XRP Community

The Foundation is delighted to set forth a 30-day reward program for the Ripple supporters and XRP holders.

Receive 30% more XRP on top of your holdings. Here's how to get your account topped up: ``` etc.


I even shut down my server for half an hour in case it had somehow been compromised without my knowledge, but still emails were being sent in that window.


what if it's your computer that's compromised?


I tested that hypothesis by shutting down my server and unplugging my router, therefore nothing under my control (except for a phone) was connected to the internet, but the symptoms still persisted, and still waiting on an answer from Brevo about how these API keys were being created, but it was still happening even during that test period.

In the end it was my stupidity though that was the problem:

I had moved servers recently, the new server I was on was not respecting the .htaccess file within a .git directory to deny all requests. This must have exposed my API key for Brevo.

Lessons learned:

* don't assume security measures you assumed still worked actually do - test them!

* don't hard code important keys into code, use environment variables!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: