re: Please don't commit .env VIEW POST


A (foolish) friend of mine once hardcoded my Mailgun keys in the project code and pushed it to a public GitHub repo. Well, guess what, I had a $600 bill, with about 1.6 million emails sent over the next few hours. When I got to know this, I was dumbstruck and contacted Mailgun, who said that my account has been compromised by a spammer and even gave me the link to the code that contained my keys!

However, they insisted that I clear the $600, since it was usage on my account anyway. I didn't, but they kept sending me reminders.

Moral of the story: Beware of Mailgun customer "support".


As if it was fault of Mailgun... It's your friends fault and yours for giving him these credentials.


As if it was fault of Mailgun

I never said that.

It's your friends fault and yours for giving him these credentials.

We were doing a project together and I was the one that created the Mailgun account. How could I have known in advance he'd just hard-code it into the source files?

The point is that these issues can be handled more sensibly by a company. AWS does this all the time, writing off bills caused by DDoS attacks eating up all the bandwidth, etc. Mailgun were the ones who found out that the account was compromised, told me that it was used by a spammer, and then insisted that I pay the bills. Great experience for me!


Oh, no. That's just really unfortunate. Do they still remind you to this day or did they terminate the service?


They followed up for a really long time, sent several emails, and even tried to charge my credit card (which I had blocked by then). As of now, they've disabled my account. 🤓

I had half a mind to write a blog post about this incident and tweet it, but then decided to let it go.

Wow. It makes me wonder what the hijacker did to rack up a bill of $600.

They sent emails like "you've won a $1 million lottery" and other such scams. Somehow, I'm sure that of all the 1.6 million that were affected by this campaign, I lost the most!

How typical of them. Hays... 🤦‍♂️

code of conduct - report abuse