Over 600,000 users of Italian email provider Email.it’s free services have just received some very bad news. Not only has pretty much every piece of information they’ve ever entered into the platform been exposed to hackers, but this may have been going on since January 2018.
Hackers offering Email.it data for sale on the dark web claim to not only have access to the full contents of all of these accounts, but also that the service has been storing user passwords in plaintext for over two years now.
The Italian email provider’s massive data breach
According to the hacking group that compromised Email.it, this breach affects every user who signed up for one of the service’s free accounts. Customers of the company’s paid “professional” tier of email services do not appear to have been breached.
NN Hacking Group, a very public criminal group that maintains a Twitter account, claimed in an interview with Security Affairs that they initially breached the email provider in January of 2018 and shared a series of screenshots that appear to verify that claim. The group claims that it acted like an advanced persistent threat (APT) group, using an escalating chain of vulnerabilities to quietly plant itself in Email.it’s servers and exfiltrate data over a long period of time.
The group claims to have hacked a number of email services, and states that their usual MO is to blackmail their targets into paying them a “bug bounty” to keep quiet about the incident. NN Hacking Group claims that Email.it refused to pay them. The hacking group characterizes Email.it as “the worst” of their targets in terms of security.
A trove of data for sale
NN Hacking Group appears to have captured just about every scrap of information associated with these free email accounts, and also stole the source code of Email.it’s web applications. All of this information was included in the data for sale on the dark web.
The group listed the contents of all emails as being available, along with any attachments. Any SMS or fax sent through the service appears to have been exposed as well. In addition, the group appears to have captured 44 databases which contained usernames and passwords for these email accounts in plaintext.
The group offered the full package of information on a dark web forum for three bitcoins (currently about $20,200). Prospective customers could buy smaller sets of information for lower prices, with the most inexpensive option being a sorted database of usernames with passwords and private information for half a bitcoin (about $3,300).
Should this breach have been reported?
If NN Hacking Group is to be believed, Email.it had been notified about these issues since the start of 2020 and had repeatedly refused to respond. The hackers claim that they only made the data for sale available to the public after repeated attempts to get Email.it to pay up.
While the email provider is not obligated to respond to hackers, it is reasonable to expect that the company could privately verify a breach of this scale. If Email.it was aware of the breach and did not notify its customers or supervisory authorities, the company could be facing some very heavy fines. The GDPR requires that breaches be reported to the appropriate data protection authority within 72 hours of discovery. Additionally, though it is up to each data protection authority there is some precedent to indicate that storing passwords in plaintext is a conscious violation of the GDPR. The breach is serious enough that it could qualify for the “upper level” of GDPR fines, which impose a maximum of €20 million or 4% of the worldwide annual revenue of the prior financial year.
Email.it has confirmed the breach and stated that they have since secured it, but the horse is already out of the barn for anyone who has made use of their free email service. The email provider has stated that paid accounts and payment information are stored on a separate server that was not compromised; this information should not be included in the data for sale.
The full fallout of the Email.it breach
Thus far the public has only heard the side of the criminals who broke into the email provider and put up data for sale, but all available information paints a picture of a company that did not care at all about the security of the “free” service that it was offering to get prospects through the door. Unfortunately for Email.it, the cost the customer paid for the service has no bearing on the amount of potential fines and legal action that regulations allow. It’s all about how much information was exposed among the data for sale and how it impacts the rights and liberties of the data subjects.
While Email.it claims that customer payment information was not exposed, that does not mean that impacted customers are safe from fraud as CSO and VP James Carder of LogRhythm Labs points out: “Email.it’s claim that no financial information was stored on the hacked server isn’t completely accurate. It’s likely that some of their customers shared sensitive data in the body of an email or in attachments. This very well could have included financial details, like bank statements and social security numbers, or even copies of driver’s licenses, pictures of their families, or other personal documents and information that could be exploited. Therefore, the attackers gained unfettered access to this information, bypassing any security and encryption controls in use – assuming there were some.”
While it is poor security hygiene to send sensitive materials such as these via email, their presence does not reduce an email provider’s obligation to protect its servers and respond to evidence of a potential breach in any way. Carder continues: “Since becoming aware of the breach, the company was given ample time and opportunity to rectify it, such as through patching and remedying the exploited vector(s) the attackers were using. They could have rebuilt systems and infrastructure. They could have hired forensics and incident experts to identify the issues and remediate. Instead, they chose to notify authorities and then do nothing else.”
Email.it claims that the Italian postal authorities were notified of the stolen data at some point in February. While that is an appropriate response for a wire fraud case, it does not discharge the email provider’s breach notification or security responsibilities under the terms of the GDPR.