I’m just replying to this thread to bump it, as I just had Mailgun yesterday disable ALL my sending privileges and deactivate my account due to an exploitation of this bug.
I’m good at keeping my production sites up to date, but a lingering staging site for a client was still hanging around on an old version. The key from that install was used to create rogue SMTP sending accounts on Mailgun, on a different domain on my account (as Ghost uses an admin API key).
Mailgun were very helpful in resolving it and I’m not mad at them – it was mostly a day of rolling a LOT of api keys throughout my account that I could have done without – but I thought I’d share that this happened to continue to encourage people to get updated and know that this bug is very real.