[richrichardsson]

I tested that hypothesis by shutting down my server and unplugging my router, therefore nothing under my control (except for a phone) was connected to the internet, but the symptoms still persisted, and still waiting on an answer from Brevo about how these API keys were being created, but it was still happening even during that test period.

In the end it was my stupidity though that was the problem:

I had moved servers recently, the new server I was on was not respecting the .htaccess file within a .git directory to deny all requests. This must have exposed my API key for Brevo.

Lessons learned:

* don't assume security measures you assumed still worked actually do - test them!

* don't hard code important keys into code, use environment variables!