54M+ Mobile App Users at Risk By Exposed API Keys of Email Marketing Services
Posted: Monday, Dec 26

i 3 Table of Contents

54M+ Mobile App Users at Risk By Exposed API Keys of Email Marketing Services
From KBI

CloudSEK’s BeVigil, the world’s first security search engine for mobile apps, uncovered about 50% of the analyzed (600) apps on the Google play store, leaking API keys of three popular transactional and marketing email service providers; Mailgun, MailChimp, and Sendgrid

Key Findings

  • The USA was the country with the highest number of downloads followed by the UK, Spain, Russia, and India, leaving over 54 million mobile app users vulnerable. 
  • Leaked API keys allow threat actors to perform a variety of unauthorized actions such as sending emails, deleting API keys, and modifying two-factor authentication.

What are API & API Keys

An API (Application Programming Interface) is a piece of software that allows applications to communicate with each other without any human intervention. An API key is a special identification used by users, developers, or calling programs to authenticate themselves to an API. 

What is Mailgun and how can it be exploited?

Mailgun provides email API services enabling brands to send, validate, and receive emails through their domain at scale. An API key leak would allow a threat actor to: 

  • Send Emails
  • Read Emails
  • Get SMTP Credentials
  • Get IP Address
  • Get Statistics
  • Allow creating, accessing, and deleting Webhooks
  • Retrieve mailing lists of customers and launch a phishing campaign
  • List members in a mailing list and show all the subscribed or unsubscribed emails.

What is Mailchimp and how can it be exploited?

Mailchimp is a transactional email service first introduced in 2001 and later launched as a paid service with an additional freemium option in 2009. An API key leak would allow a threat actor to:

  • Read Conversations
  • Fetch Customer Information
  • Expose email lists of multiple campaigns containing PII 
  • Authorize 3rd party applications connected to a MailChimp account
  • Manipulate Promo Codes
  • Start a fake campaign and send emails on behalf of the company

What is SendGrid and how can it be exploited?

SendGrid is a communication platform intended for transactional and marketing emails. They provide cloud-based services to assist businesses with shipping notifications, friend requests, sign-up confirmations, email newsletters, etc. An API key leak would allow a threat actor to:

  • Send emails
  • Create API Keys
  • Control IP addresses used to access accounts.


In modern software architecture, APIs integrate new application components into existing architecture. So its security has become imperative. Software developers must avoid embedding API keys into their applications and should follow secure coding and deployment practices like: 

  • Standardize Review Procedures
  • Rotate Keys
  • Hide Keys
  • Use Vault 

Responsible Disclosure 

CloudSEK has notified the involved entities and the affected apps about the hardcoded API keys.

About CloudSEK

CloudSEK is a contextual AI company that predicts Cyber Threats.

At CloudSEK, we combine the power of Cyber Intelligence, Brand Monitoring, Attack Surface Monitoring, Infrastructure Monitoring and Supply chain to give context to our customers’ digital risks. 

To learn more about CloudSEK, visit https://cloudsek.com/.

Media Contact:

Shashank Shekhar



The Production Team
The KBI Production Team is a staff of specialist technology professionals with a detailed understanding across much of cybersecurity and emerging technology. With many decades of collective industry experience, as well as expertise in marketing & communications, we bring news and analysis of the cybersecurity industry.
Share This