EasyPost Account Security Best Practices

EasyPost works hard to ensure accounts are secure, but ultimately, security is a shared responsibility. Here are several measures that will provide added security against unauthorized access.

Secure Your Email Account

An email account is essential for using EasyPost and is used to send important alerts and communicate with our support staff. Take steps to keep it secure. 

• Visit ';--have i been pwned? to see if an email address has ever been compromised in a third-party data breach. If so, change all passwords connected to that email address (see below). 
• For accounts that could have been compromised, please take steps immediately to secure the account from unauthorized use. 
  • Google Support: How to secure a hacked or compromised Gmail account
  • Microsoft Support: My Outlook.com account has been hacked
• Conduct periodic security reviews to identify any unusual filters, forwarding addresses, or unauthorized recovery contact information associated with relevant email accounts. 

Use a Strong, Unique Password

Passwords are the first line of defense against unauthorized access and are among the easiest steps to secure an account. 

• Select a password that is long, random, and unique to EasyPost. Never use the same password across multiple accounts or services. 
• Use a password manager such as 1Password or DashLane to generate, store, and manage unique passwords to all online accounts. 
• Another option is to use a passphrase (a sentence or group of four or more words). Choose a random set of words rather than a famous quote or phrase, as online hackers have sophisticated databases to guess these passphrases. 
• Never disclose a password to anyone. EasyPost employees will never ask for your passwords. 

Use Multi-factor Authentication

Multi-Factor Authentication (MFA), which is also commonly called Two Factor Authentication,  adds an additional layer of security to your account. In addition to your password, you will need to provide a second form of verification to login successfully—typically a temporary code sent via email or SMS.

This additional step makes it much harder for unauthorized users to gain access your account, even if your username and password are compromised.

To enable MFA on your account, follow the steps in this article: Multi-Factor Authentication

Do not share MFA codes outside of the regular EasyPost login flow. Support staff will not ask you for verification codes.

Secure Your API Key

API Keys should be treated with the same level of security as passwords and kept confidential. They allow full account access, and any unnecessary exposure should be avoided. A compromised key can be immediately disabled by visiting the API Keys page on the EasyPost Dashboard. 

• When staff members or vendors leave an organization, consider rotating any API keys that could have been accessed by them.
• Do not include any API keys in client applications that are distributed outside your organization (such as apps or SDKs)
• Do not log API keys directly and avoid including keys in debug files or error messages.
• EasyPost Support will never ask you to share keys directly.

Learn How to Identify Scams

"Phishing" and "Smishing" scams are typical ways scammers will target accounts to gain access to sensitive information, such as credit card or bank account numbers. 

• A scammer may call, email, text, or send a personalized message on social media and pretend to be an EasyPost representative or a trusted contact or partner. 
• If any inbound messages look suspicious, do not respond, or open any hyperlinks. Check the email headers and SSL certificate if possible. 
• The best way to protect against these scams is to take the measures above and report suspicious activity. 
• If an account is believed to be compromised, change the password immediately. 

Keep Secrets Close

Trade secrets should stay private. 

• Do not commit secrets to a GitHub Repository or share them outside of your organization. 
• Do not share account information in online forums. 
• Do not share secrets with AI chatbots. 

If an employee pushes sensitive information to any public online spaces, please treat the contents as public information and revoke the key after replacing it. 

Be Smart About Third-Party Integrations

EasyPost and other companies often update their software with security improvements.

• Be sure to conduct research when allowing any third-party applications to access an account. 
• Once integrated, keep these third-party integrations and hosting providers up to date and safely store their credentials to take advantage of the most current security practices. 
• Immediately deactivate any API keys associated with third-party applications that are no longer in active use. 

Please contact support with any questions about EasyPost account security best practices.