2.3 million emails. One exposed API key. $10K bill.

January 13, 2026

How a DMARC forensic analysis uncovered an API key exposure that led to 2.3 million unauthorized emails and a $10K Twilio bill.

Email Security
Email Security
1
min read
2.3 million emails. One exposed API key. $10K bill.

A Twilio bill spiked more than 500× after an exposed API key was abused to send 2.3 million emails through a company’s SendGrid infrastructure.

In December, our forensic analysis of hashtag#DMARC reports flagged an abnormal surge in outbound traffic from a fully authenticated domain. The pattern was Illegitimate, so we escalated. The client’s engineering vendor later confirmed that SendGrid API keys had been exposed due to what they believed was a hashtag#NextJS vulnerability.

The keys were revoked quickly, but domain reputation was impacted, deliverability eroded across the organization, and the company absorbed a financial hit. The company’s credibility plummeted.

A reminder that vendor security practices are your security practices. And rebuilding trust from that kind of damage takes months, if not years.

Twilio
SendGrid
Cybersecurity
Email Security
Phishing
Related posts
All posts
2.3 million emails. One exposed API key. $10K bill.

How DMARC forensics exposed an API key leak, 2.3M unauthorized emails, and a $10K bill.

2.3 million emails. One exposed API key. $10K bill.
Email Security
Backscatter Injection Attacks Exploiting Legitimate Infrastructure

Attackers use backscatter emails to bypass filters, harming servers and delivering phishing content.

Backscatter Injection Attacks Exploiting Legitimate Infrastructure
Email Security
The Risks of Abruptly Enforcing DMARC p=reject in Organizations

Sudden DMARC enforcement can disrupt workflows, block emails, and impact organizational operations significantly.

The Risks of Abruptly Enforcing DMARC p=reject in Organizations
Email Security