2.3 million emails. One exposed API key. $10K bill.

January 13, 2026

How a DMARC forensic analysis uncovered an API key exposure that led to 2.3 million unauthorized emails and a $10K Twilio bill.

Email Security
Email Security
1
min read
2.3 million emails. One exposed API key. $10K bill.

A Twilio bill spiked more than 500× after an exposed API key was abused to send 2.3 million emails through a company’s SendGrid infrastructure.

In December, our forensic analysis of hashtag#DMARC reports flagged an abnormal surge in outbound traffic from a fully authenticated domain. The pattern was Illegitimate, so we escalated. The client’s engineering vendor later confirmed that SendGrid API keys had been exposed due to what they believed was a hashtag#NextJS vulnerability.

The keys were revoked quickly, but domain reputation was impacted, deliverability eroded across the organization, and the company absorbed a financial hit. The company’s credibility plummeted.

A reminder that vendor security practices are your security practices. And rebuilding trust from that kind of damage takes months, if not years.

Twilio
SendGrid
Cybersecurity
Email Security
Phishing
Related posts
All posts
Google.com Scam Sent via Gmail API - DMARC Passed, No Account Compromise

A scam email sent from @google.com passed SPF, DKIM, and DMARC without a compromised account. Here’s what it reveals about modern email threats.

Google.com Scam Sent via Gmail API - DMARC Passed, No Account Compromise
Email Security
When Vendors Control Your DNS: A Hidden DMARC Security Risk

A real-world example of how third-party DNS control can silently block DMARC visibility, redirect domain telemetry, and introduce serious email security and data exposure risks.

When Vendors Control Your DNS: A Hidden DMARC Security Risk
Email Security
2.3 million emails. One exposed API key. $10K bill.

How DMARC forensics exposed an API key leak, 2.3M unauthorized emails, and a $10K bill.

2.3 million emails. One exposed API key. $10K bill.
Email Security