I don't believe this would even be an issue if they offered the option to not log sensitive data. I had requested that they provide something like this and someone quite senior reached out to me. He was very polite and professional. He explained that they had to keep this data for operational and compliance reasons and that all email providers are required to. However, that didn't resolve my security concern.

We ended up going with Mandrill which does offer the option to not log sensitive data ^1. Whether they log it somewhere else for the compliance reasons that Mailgun mentioned isn't mentioned anywhere in their docs or privacy policy, but doesn't seem to be accessible from everything I could find. You should never log or allow others to log password reset urls or other sensitive details.

1: See documentation here: https://mandrillapp.com/api/docs/messages.JSON.html#method-s... and search view_content_link

This needs to be the #1 comment in the thread. If you use a transactional mailer, make sure you are not archiving emails with security-sensitive content.

That includes resets, username reminders, signin notifications, etc.

Also secure access to your transactional mailer account with 2FA and restrict access to those who need to be there (i.e. not your entire support team).

More and more "compliance" is an IT industry excuse for "because we want to."

Honest question, why would you "want to" adhere to compliance? It's almost always more work and more cost, I think.

The cost of paying fines for non compliance would be more.

Exactly, that's very different from "because we want to," it's, "because there's a very big stick over our heads if we don't."

I just thought the attitude/assertion was in discord with my own experience/understanding.

Can you explain this a bit more, please? I am confused. How does ‘view_content_link’ cause a security problem?

It's the opposite. That is a link to the section of the Mandrill docs, not the Mailgun docs. The view_content_link option fixes the security problem. (In theory, anyway).

Right. I understand that having that option lets you mitigate some problem. Can anyone expand on what this option does and how it mitigates the problem? Did I miss something from the blog post?

Sure -- AFAIK the problem was that Mailchimp was hacked, and the hacker was able to see and intercept the password reset links being sent to the customer by looking at Mailchimp log data. This option indicates that links should not be stored in log data, so even if an attacker has compromised your Mandrill account, they should be unable to see the exact reset links that are being sent.

edit: worth noting that there are obviously other ways a hacked Mandrill/Mailchimp account could be abused. This just shuts down one of the major abuses you could perform.

Mailgun, not Mailchimp.

Those are two entirely separate companies (unlike Mandrill and Mailchimp which is the same company.)

Thanks. I did indeed miss critical parts of the post. I will review again.

On 12/31, Reddit received several reports regarding password reset emails that were initiated and completed without the account owners’ requests.

We have been working to investigate the issue and coordinating with Mailgun, a third-party vendor we’ve been using to send some of our account emails including password reset emails. A malicious actor targeted Mailgun and gained access to Reddit’s password reset emails. The nature of the exploit meant that an unauthorized person was able to access the contents of the reset email. This individual did not have access to either Reddit’s systems or to a redditor’s email account.

As an immediate precautionary measure, we moved reset emails to an in-house mail server soon after we determined reset links were indeed being clicked without access to the user's email, and before Mailgun had confirmed to us that they were vulnerable. We know this is frustrating as a user, and we have put additional controls in place to help make sure it doesn’t happen again.

We are continuing to work with Mailgun to make sure we have identified all impacted accounts. At this time, the overall number of confirmed impacted users is less than twenty. For those affected, we have resolved the issue and assisted in account recovery.

Additional information about Mailgun’s security incident can be found on its blog here. We’re committed to keeping your Reddit account safe and will continue to monitor this situation carefully. u/sodypop, u/KeyserSosa, and I will be sitting around in the comments for any general questions.

Carefully filed in an almost unread subreddit rather than in /r/announcements where it would be seen by everyone.

This is a new class of attack. Instead of spear-phishing, it's spear-hacking.

It looks like the target was "bitcoin-ish tipped into /u/someredditor" and the hack/vuln was "intercept mail password resets in order to auth account in order to snatch crypto-currency"

ie: most people's reddit accounts (IMHO) are on the "not that important" on the scale of password protection. (Personal Email/Financial => Work => Medium Security [facebook, amazon, etc] => Low Security [discussion forums])

It's another way of saying that I would expect phpBB or reddit or pinterest to have lower password/server security than my gmail or bank websites.

However, because reddit is relatively high profile, and there was mixing of "cash and reddit", all of a sudden not just reddit was target of a hacking attack, but also reddit's 3rd party service providers.

I can choose to use reddit or not, but I can't choose that reddit uses or doesn't use some other random service provider that may or may not be vulnerable.

"I can choose to use reddit or not, but I can't choose that reddit uses or doesn't use some other random service provider that may or may not be vulnerable." Which is similar to the same problem we all face of 'I can choose to work for company x' but I cant choose that they farm out background checks, HR, payroll, benefits etc. to random companies that may or may not be secure.

Never would have occurred to me that this could be used to intercept password reset emails. Very scary.

At least it leaves a trail..

Many services state in the password reset emails that "if this was not initiated by you, ignore it", but it really should be the exact opposite - click the link below to report it!

My guess is they don't do this because somebody decided it would confuse users to have more than one link.

And it also goes against the standard advice of never clicking on anything in an email.

I've always been impressed that Gandi (domain registrar) let you disable password resets by email in your account preferences.