Remediation of Credential Leaks: API Token and SMTP Credentials

If you have found your credentials (API token or SMTP username and password) have been leaked by either yourself or a third party, be sure to take the following actions. This tutorial will guide you through the steps necessary to remediate credential leaks and ensure the security of your accounts and data.

Revoke Existing Credentials

In order to prevent unauthorized access, you must revoke the leaked credentials as soon as possible. This process varies depending on the type of credential.

MailerSend API Token

  1. Log in to your MailerSend dashboardopen in new window.
  2. Navigate to the “Settings” page on the left sidebar.
  3. Click on the "API Tokens" tab.
  4. Identify the leaked token, click the dropdown menu, and then the "Delete" button. This will immediately invalidate the token and prevent further access.

Delete API token

SMTP Username and Password

  1. Log in to your MailerSend dashboardopen in new window.
  2. Navigate to "Domains" in the left sidebar.
  3. Select the affected domain name in the list.
  4. Scroll down to the “SMTP” section and click the "Reset Password" button to create a new SMTP password. This will invalidate the old password and prevent unauthorized access using the leaked credentials.

Reset SMTP password

Remove the Leaked Credential from Git Repositories (GitHub, GitLab, etc.)

Leaked credentials may remain in your repository's commit history even after being removed from your code's current version. To remove the leaked credentials from your Git history, follow these steps:

  1. Clone the repository locally if you haven't already.
  2. Use a tool like BFG Repo-Cleaneropen in new window or git-filter-repoopen in new window to remove sensitive data from your repository's history.
  3. Force-push the cleaned repository to overwrite the remote repository's history. Note that this may cause conflicts for other users, so communicate the changes to your team.

You may also just remove the credentials from your Git repo if doing a complete cleanup isn’t feasible.

Create New Credentials

After removing and revoking the leaked credentials, generate new ones to regain access to MailerSend services.

MailerSend API Token

  1. Return to the MailerSend dashboardopen in new window and navigate to "Domains" in the left sidebar.
  2. Select your domain name in the list.
  3. Scroll to the "API Token" section and click the "Create new token" button.
  4. Assign a name to the new token and select the necessary permissions.

Create API Token

SMTP Username and Password

Use the new SMTP password you generated in the previous step. The SMTP username remains unchanged.

Securely Store and Use the New Credentials

To prevent future leaks, store and use your new credentials securely. Here are some best practices:

  • Avoid hardcoding credentials in your source code
  • Use environment variables to store sensitive information and access them in your code
  • If you need to store credentials in a file, use a secure file format (such as .env) and add the file to your .gitignore to prevent it from being accidentally committed
  • Utilize a secret management service, such as HashiCorp Vault or AWS Secrets Manager, to securely store and manage sensitive information
  • Educate your team about the importance of credential security and best practices

Following these steps, you can effectively remediate credential leaks and protect your MailerSend API tokens and SMTP credentials from unauthorized access.

Last Updated: