I developed a tool called shhgit.com that watches code commits across GitHub, Gitlab and Bitbucket in real time. In a ~24 hour period you will find 100s of valid SendGrid credentials/API keys so this does not surprise me. They really need to enforce 2FA and IP whitelisting for API key use.