mailgun Error":"exposed account credentials

Question

I am attempting to validate an email but when I follow the mailgun docs and have code such as follows

https://documentation.mailgun.com/en/latest/user_manual.html#email-validation

EMAILPUBLICVALIDATIONKEY = 'my sexy key'

def validateemail(emailaddress):
    return requests.get(
        "https://api.mailgun.net/v3/address/validate",
        auth=("api", EMAILPUBLICVALIDATIONKEY ),
        params={'address': emailaddress}
    )

I get the response

["{"Error":"exposed account credentials"}"]0: "{"Error":"exposed account credentials"}"length: 1__proto__: Array(0)

Answer 1

I haven't actually gotten this error in MailGun before. But I'm assuming exposed account credentials means that your API key got exposed and they deactivated it in order to try to protect you.

Kinda unrelated, but GitHub recently released a feature where they will scan commits for API keys and tokens and notify the company that it was exposed. Doesn't look like as of posting this MailGun is on that list, but there is also a slim chance since it's in beta that list hasn't been updated. https://help.github.com/articles/about-token-scanning/

Answer 2

This is most likely due to exposing a Mailgun API key on Github. I had the API key in a file and commented it out but still got flagged. If you file a ticket on Mailgun, a reply will be sent with these instructions:

    Due to the compromise, you will need to take a few steps to secure your Mailgun account:

    - Remove the repository from Github or making the repository private. A new commit will not overwrite the previous commit history which contains the password.
    - Please log in to the Mailgun Control Panel and reset your Mailgun account password. Click your email address in the top right, "Edit Account Info" -> "Password Change" section.
    - Enable 2 Factor Authentication. Click your email address in the top right > Security > Two-Factor Authentication section.
    - Reset your Mailgun API key. Under "Account Settings" -> "Security" click the refresh symbol to generate a new API key.
    - Reset your SMTP credentials. Go to the "Domains" tab and repeat the following process for each domain listed in this view.