https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
also sheds light on the issue too.
<shrug>. SendGrid knows (or should konw) that it has compromised accounts.
It could find out what some of them are for free by downloading Rob's list
of 25 or so compromised accounts. It could find out what some of the other
400 are for $15 each, and could find out what some of the major offenders
are for $400 each. Let's see, 400 compromised accounts times $400 is $16,000
dollars. SendGrid or Twillio can't afford a $16,000 cash outlay to find the
account names of the major compromised accounts? Their head of security
probably gets that much a month in salary and bonuses. It would be a trivial
expense.
So what could they do once they knew which acocunts are compromised?
Are they helpless, and can only wring their hands and issue press releases
saying They Have A Plan?
No. They can SHUT THE DAMN ACCOUNTS DOWN. Issue refunds to the owners if
they feel generous. Tell the owners to open new accounts with 2FA.
But they won't do this, because they get their money from sending spam.
Loren
