We’re sorry – an update on a recent email issue
Let's Unmute The Audience🎙️. Down with boring, one-way presentations 😡
Hi,
This is one of those emails that as a founder you hope you never have to write, but nevertheless we have to be transparent about what’s happened to many of our users over the last couple of days.
First, I’d like to apologize to everyone who has been affected by unsolicited emails that have been sent from StreamAlive. I know how frustrating and confusing it is for you, and I’m deeply sorry.
Here’s what happened
At around 8am Eastern Time we started receiving messages from users saying that they are getting spam and phishing emails coming from StreamAlive but are being sent by random email addresses.
Other messages reported that they were receiving complaint emails from random people who wanted to be taken off the StreamAlive email list.
Naturally this is hugely concerning for us and we immediately investigated what was going on.
We narrowed the cause down to our Mailgun account which is an email delivery system that we use.
The system was accessed and used to send a large volume of emails to our users. The way the attack was orchestrated was for messages to be sent between contacts, which may have looked like emails coming from other users.
What this means for you
You may have received a large number of unexpected or duplicate emails
Your email address may have appeared as the sender of some messages
You may have received emails from confused people asking to be removed
To be clear:
Your email address has not been compromised or hijacked.
The attacker used StreamAlive’s email to send the email and made it look like it was coming from someone else’s email. All the messages were sent through the Mailgun system using StreamAlive’s infrastructure, not your mailbox.
No other details were exposed to the hacker except your email address.
What we’ve done
We were able to shut this attack down and secure our Mailgun account.
Removed all user emails from Mailgun
Disabled all outbound email sending
Removed all API keys
Rotated all API keys in other tools
We’re also working closely with Mailgun to understand exactly how the attacker was able to access our Mailgun account and SMTP email server, and ensure that it can’t happen again.
Where things stand
The attack has been contained, and no further emails are being sent.
At this stage, we have no evidence that any systems beyond our 3rd party email delivery setup were accessed. We’re continuing to investigate and will share a further update once we have a definitive root cause.
We know this isn’t the kind of experience you expect from us, and I’m so very sorry for the disruption it caused.
We’re taking this seriously and putting additional safeguards in place so that even if something like this were attempted again, it hopefully wouldn’t be possible.
If you have any questions or concerns, just reply to this email and we’ll get back to you.
Thanks for your patience,
Lux Narayan
CEO & Co-Founder
StreamAlive
Thanks, Lux. This is just the type of open, honest response I’ve come to expect from you. I know the situation was a little scary, but “these things happen” and I appreciate your response.