Application Programming Interface (API) keys of three well-known transactional and marketing email service providers were 50% exposed in an analysis of 600 Google Play store apps by CloudSEK’s BeVigil security search engine.
MailChimp, SendGrid, and Mailgun were the providers. The impacted apps and all involved parties have been informed of the hardcoded API keys by CloudSEK. Threat actors can send emails, delete API keys, and alter two-factor authentication thanks to the stolen API keys, among other illicit acts (2FA).