The users' personal data
are now up for grabs on the dark web for anywhere between US$3,500 and
US$22,000 worth of Bitcoin
The personal details of
more than 600,000 Email.it users have been stolen and put up for sale on the
dark web. The incident surfaced on Sunday after the perpetrators took to
Twitter to spread the word about the website that sells the data.
“Unfortunately, we must
confirm that we have suffered a hacker attack,” confirmed the Italian email
provider in a statement to ZDNet,
which broke the story.
The hacker collective that
claimed responsibility goes by the moniker “No Name”, or “NN” for short. The
group said that the breach occurred way back in January 2018. They went on to
claim on their website that they contacted Email.it about loopholes in the
firm’s infrastructure and asked for a “little bounty”, but the Italian email
provider refused to communicate with them.
Another message on their
website stated that they tried to extort the company on February 1st of this
year. An Email.it spokesperson confirmed as much, but the company refused to
play ball and contacted the authorities instead.
According to the hackers’
claims, they now have control of 46 databases that contain plain text
passwords, email content, and email attachments of users who signed up for a
free Email.it account between 2007 and 2020.
The collective additionally
claimed that it was able to access plain text SMS messages that were sent out
using the company’s text sending service, as well as get a hold of the source
code of all of Email.it’s web apps.
On the bright side, no
financial data were stored on the hacked servers, nor were any business
accounts impacted by the breach.
As of now, the affected
servers should be patched and the relevant authorities, including the local
data privacy regulator, have been notified.
The incident may bring
echoes of an unrelated attack at a US-based email provider VFEmail last year,
where the bad actors went even further and wiped
out almost two decades’ worth of data from the firm’s servers.