Possible SMTP Credentials Leak
Hello everyone,
Recently, I had two serious incidents where our SMTP credentials were used to send unauthorized emails. Even after rotating the credentials and reinforcing security measures, the issue happened again.
Current setup:
Even with these precautions, someone recently managed to use new credentials. This suggests there is still some leak point or vulnerability that we haven’t identified yet.
My questions:
Recently, I had two serious incidents where our SMTP credentials were used to send unauthorized emails. Even after rotating the credentials and reinforcing security measures, the issue happened again.
Current setup:
- Stack: PHP 8.3, Laravel Framework 11.44, Livewire 3.6.4, FilamentPHP 3.3.36
- Server: AWS Elastic Beanstalk (Linux + Nginx), application pointing to
/public - **Security measures:**
- No
file present on the server or in the repository.env - Credentials configured directly in the EB environment
- Private GitHub repository, no credentials stored
- No dumps (
dump(),var_dump(), etc.) or debug bar in production - Access logs reviewed, no explicit credential exposure found
- No
- Carefully reviewed Nginx access logs — found attempts to access
and other common attack vectors (WordPress, Drupal, CodeIgniter, etc.), all returning 404..env - Removed any dependencies or configurations that could expose sensitive variables.
Even with these precautions, someone recently managed to use new credentials. This suggests there is still some leak point or vulnerability that we haven’t identified yet.
My questions:
- Are there any known attack vectors in Laravel + Filament + Livewire that could expose environment variables, even without a
file and with a properly configured server?.env - Could any third-party extension/package (Laravel, Filament, or Livewire) inadvertently expose sensitive variables under certain conditions?
- Any extra precautions you recommend for this stack beyond the measures already taken?
