On the importance of executing a leaver’s checklist

Last summer I received an email from SendGrid thanking me for subscribing to 300,000 email credits/month. I hadn’t done this, and assumed it was a phishing attempt. I’m now reasonably sure it was a consultant I had worked with who had repurposed an idle account.

I didn’t click the links in the email, and went through the 2FA login, and sure, there was an invoice. No emails sent. At first I figured SendGrid’s accounting system had screwed up. I complained to support, and thought that was that.

Five minutes later I wondered: why hasn’t my banking app notified me about a charge? I looked again, and noticed the billing details on the invoice were for a different name and address, and no one I knew of. I couldn’t match the 4 digits of the card number to any I had. Someone had added a valid card and address (not mine) to the account.

By now one email had been sent from the account. I deleted the consultant login. I found the API key settings, and removed the keys. In that time, about 150 emails had gone out of a possible 300k.

I heard nothing from SendGrid, and nothing from the consultant. When I deleted the account I gave “concerns about unauthorised account access or fraud” as my reason. I thought that might wake someone up. It didn’t - I never heard a thing back about this.

What happened? I assume someone needed warm email reputation. The consultant facilitated access, as I could see that there was a login from the consultant’s location, followed by an API key access. Plausibly it could be a mistake, but if so I’d expect a reply to an email asking what was going on.

Lesson: be careful who you trust, and delete accounts you don’t use.