2.3 million emails. One exposed API key. $10K bill.
January 13, 2026
How a DMARC forensic analysis uncovered an API key exposure that led to 2.3 million unauthorized emails and a $10K Twilio bill.
How a DMARC forensic analysis uncovered an API key exposure that led to 2.3 million unauthorized emails and a $10K Twilio bill.
A Twilio bill spiked more than 500× after an exposed API key was abused to send 2.3 million emails through a company’s SendGrid infrastructure.
In December, our forensic analysis of hashtag#DMARC reports flagged an abnormal surge in outbound traffic from a fully authenticated domain. The pattern was Illegitimate, so we escalated. The client’s engineering vendor later confirmed that SendGrid API keys had been exposed due to what they believed was a hashtag#NextJS vulnerability.
The keys were revoked quickly, but domain reputation was impacted, deliverability eroded across the organization, and the company absorbed a financial hit. The company’s credibility plummeted.
A reminder that vendor security practices are your security practices. And rebuilding trust from that kind of damage takes months, if not years.
