Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm trying to hunt down a possible leak on my .env file. Someone gained access to my SendGrid API key and of-course went full ham. Hopefully, not too much damage is done. I revoked the key so they can't continue spamming and changed all my other keys (DB etc).
My concern is if and how they gained access to the .env file. My production environment is on an EC2 box which only I have access via SSH with a private key and locked down to IP. HTTP & HTTPS are open to the public.
The .env file is set to APP_debug=false so nothing should have been printed out when an exception was thrown.
Checking the mail logs, an email was sent 5 days ago with a subject line containing the email settings (Host, Port, apikey, and my company email address), along with some other emails with a subject line of "SMTP test" before going crazy (10000 mails) requesting the verification of a BDO bank account. From what I can determine the attack was aimed at the Philippines as BDO is a local bank to the Philippines.
The .env file is in the root folder of Laravel and as I understand this should not be accessible to the public as it is only the public folder that can be accessed.
The bizarre part is have 2 keys in the env, yet it was only the one that was abused.
My DB is locked down on access to specific IPs so nothing has been accessed there. My S3 bucket also hasn't had any unusual connections.
I am worried because, for the life of me, I cannot determine if the env file leaked, my server was hacked, I left the key lying around (unlikely) or Sendgrid leaked something.
Reading around Sendgrid doesn't seem to have a great reputation and following this, I am looking into alternatives for mail sending.
@mukdagr8 It sounds like you have a vulnerability somewhere if they’ve managed to send themselves an email with environment variables/configuration values.
So look at what portions of your application actually send mail (specifically portions that let users send emails to an email address of their choice), and what validation (if any) you have to let them craft emails with values from configuration values.
You correctly understand that anything outside of the public folder should not be accessible but is your server setup to follow that principle? The key thing being that your document root points to the public folder.
The other concern would be a compromise of another site in your account or some misconfiguration of your hosting provider.
Also make sure that your code respository does not contain any keys.
Thanks @martinbean
The email logs I am referring to are in Sendgrid itself. Reviewing the email with the API key as the subject it is sent from an IP I don't recognise so this leads me to believe they already had the key at this point and were sending it to other spammers
My email logs on the server don't have anything logged that was sent.
I have a Contact Us form on the site. There is validation to check email address, contact number and then a required text field. Is it possible they were able to inject malicious code to display the env variables into the text field?
$validator = Validator::make($request->all(), [ 'name' => 'required|max:255', 'email' => 'required|email|max:255', 'phone' => 'required|max:20', 'message' => 'required', 'g-recaptcha-response' => 'required|recaptchav3:email_us,0.5' ]);
I have set Apache to point the document root to the public folder of my Laravel installation. (/var/www/html/public)
My code repository does not contain any .env variables to ensure I have to create the env for production with the production values.
I set up the Ubuntu server through AWS and installed Apache, PHP, beanstalkd and supervisor. I don't have any files or folders set to 777. Only 755 for storage.
Sendgrid sadly has now suspended my account (not surprised) and requires a full analysis of how the key was leaked.
check if you echo unfiltered data anywhere in your app by searching for {!!
Thanks @snapey
I found I pushed an update on Thursday for my 404 page. I do echo out using {!! !!} for pagination links, csrf field, recpatcha field. I have checked and there isn't any data submitted by users that is echo'd out like this. Would the 404 returning the exception like this be prone to injection and allow the message bag to display .env variables? I wouldn't even know how to test this
@if($exception->getMessage() !== "")
<p class="text-center">{!! $exception->getMessage() !!} </p>
@else
<p class="text-center">Yup. Mark lost the page.</p>
@endif
Does the app handle file uploads? It's a possible surface for remote code execution if done incorrectly.
What Laravel version are you using?
I only upload images which is done on the backend by myself. No front-facing file upload forms are available to users
Laravel 10
@mukdagr8 how are you sure your application is the source of the leaked key? Perhaps you have some other vulnerable or misconfigured software running. If you'd like some help looking at your application and server setup, feel free to ping me, contact info is on my github profile.
@patorgan1 At this point it could be a possibility that something is misconfigured on the server.
A family friend is an ethical hacker so I have asked for their assistance but should that not work out I will take you up on your offer. Thank you
I truly appreciate everyone's advice so far.
Please or to participate in this conversation.