More lessons on security
A couple of additional take-aways from that "$4000 billing nightmare" I mentioned on Wednesday:
Sloppy homegrown backups have a way of leaving sensitive files lying around where bad actors can get their hands on them. I see more often than you might expect.
Direct leakage of your website passwords or constituent data is not the only way your organization can be harmed by a lapse in security.
You don't have to be a big organization or a “major target” to be the victim of this kind of automated attack. These criminals operate at scale and often just go about scanning any site they find.
And on the bright side:
There are additional layers of security available to you. SendGrid, for example, allows you to lock down your account so it's only accessible from one or a few IP addresses. That kind of protection would have stopped this attack in its tracks.
It's always worth trying to negotiate a surprise bill like this one. Some providers do hire human beings with common sense, and empower them to operate with a margin of grace for the occasional slip. Kudos to this provider (SendGrid) for helping my client resolve the problem without budget-breaking damage.
All the best,
A.