Reportedly, done by a group that goes by the name of “NoName(NN);” the group has claimed that the actual breach took place back in 2018 posting the following text on their website:
We breached Email.it Datacenter more than 2 years ago and we plant ourself like an APT. We took any possible sensitive data from their server and after we choosen to give them a chance to patch their holes asking for a little bounty. They refused to talk with us and continued to trick their users/customers. They didn’t contacted their users/customers after breaches!
The little bounty in the message refers to a request for a certain sum of money that the email provider refused to pay. Instead, they got the Italian Postal Police (CNAIPIC) involved with the hackers putting out their data on the dark web in retribution.
The data being sold currently is being offered in different categories with prices ranging from 0.5 Bitcoins($3700) to 3 Bitcoins ($22200) as shown in the photo below.
Detailing the nature of the hack, they posted a Tweet as well:
As seen from the tweet, the hacker managed to access 44 databases in the process whose names have also been revealed in the screenshot:
These, they claim, contain email addresses of users, their passwords, security questions, SMS messages and the specific directories in which they were stored giving information on the layout of the databases.
Furthermore, the text messages of emails sent can also be seen with the sender information visible along with the time stamp.
But this is not all. As evident from the photo below, beyond emails, details of other web applications hosted by email.it were also leaked which includes their source code.
As for Email.it’s response, ZDNET has reported that in a statement by the provider to them, the latter clarified that no financial information was leaked nor the data of paid business accounts as they are stored on separate servers. Additionally, the server has also been patched.
To conclude, this raises some serious questions about the credibility of Email.it in itself. To start with, they were supposed to report such a breach in line with European General Data Protection Regulation (GDPR) which they failed to do.
Secondly, storing sensitive credentials in plain-text is frankly a rookie mistake, not one that an email provider at this scale should be making.
In the near future, we would expect them to issue an honest apology to all customers and work towards improving their security mechanisms both in terms of encryption and access control for their servers.
It wouldn’t be surprising though if masses of customers decided to not continue with their service, especially with a ton of other more secure options available in the market.