The Resend company recently disclosed a security incident where attackers gained access to customer data, including emails sent, domains, API keys (encrypted), logs, and contacts, due to an exposed database API key. The attack occurred on December 30th, when the attackers discovered the exposed API key as an environment variable on the client-side of the Resend Dashboard. The incident was not immediately detected during the holiday weekend, but an alarm was put in place to prevent similar incidents from happening to other users. The attackers accessed customer data, including recipient addresses, sender addresses, sent dates, subjects, and bcc/cc information, without accessing email content or unencrypted private keys. To mitigate the incident, Resend has taken preventative measures such as removing database API environment variables, rotating database access keys, enforcing MFA across systems touching the database, conducting org-wide password resets, and partnering with a third-party cybersecurity company to conduct an exhaustive investigation.