Cyber Incident Victim: Twilio SendGrid
Date:
Aug 2020
Location:
United States of America
Summary
Sendgrid experienced a significant surge in compromised customer accounts exploited by spammers to distribute phishing emails and malware, leveraging the platform's established reputation to bypass spam filters. The parent company acknowledged the increased account breaches and planned to mandate multi-factor authentication, though this protection remained optional at the time. Cybercriminals sold access to hundreds of hijacked accounts, pricing them based on monthly email volume capacity, while obfuscated links in malicious messages hindered recipient awareness of destination risks. Anti-spam experts reported unprecedented volumes of harmful content originating from the service compared to other providers, prompting specialized blocklists and warnings that major email platforms might aggressively filter its traffic if abuse persisted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-2020, Sendgrid, an email service provider owned by Twilio, faced a significant surge in compromised customer accounts exploited for distributing phishing emails, malware, and spam. Attackers gained unauthorized access by cracking passwords, leveraging credential reuse across multiple websites. These breached accounts were actively traded on cybercrime forums, with one seller known as "Kromatix" offering over 400 accounts priced according to monthly email volume capacity—ranging from $15 for accounts sending 40,000 emails to $400 for those capable of transmitting 10 million messages. The compromised accounts allowed threat actors to generate API keys, integrate them into email platforms, and abuse Sendgrid’s infrastructure to send malicious content. Sendgrid’s architecture exacerbated the issue: emails sent through its system used link obfuscation for tracking metrics, masking malicious destinations, while its strong sender reputation ensured high inbox placement rates, bypassing many spam filters. Anti-spam experts reported a marked increase in malicious email volume originating from Sendgrid compared to other providers, with one firm noting it had become the dominant source of criminal phishing and virus-laden emails in recent months.
The incident severely impacted organizations relying on Sendgrid for legitimate communications, as recipients struggled to distinguish between authentic and malicious messages. Anti-spam entities observed escalating abuse levels, prompting Invaluement.com to create a dedicated blocklist filtering Sendgrid emails from known abusive accounts—a measure implemented after customers complained about malicious emails reaching their inboxes. Twilio’s Chief Security Officer acknowledged the rise in account compromises and confirmed plans to mandate multi-factor authentication (2FA) for all customers, leveraging Authy—a 2FA solution acquired in 2015—though this requirement was not yet enforced at the time of reporting. Industry critics, including CAUCE’s executive director, criticized Sendgrid’s delayed implementation of mandatory 2FA, emphasizing that single-factor authentication was inadequate for a high-risk platform in 2020. The persistent abuse raised concerns that major email providers might downgrade Sendgrid’s sender reputation algorithmically if the issue remained unaddressed, potentially disrupting legitimate customer communications. Meanwhile, compromised accounts continued to fuel spam operations, exploiting Sendgrid’s infrastructure until broader security measures could be deployed.