Italian email service provider Email.it was hacked and the data of more than 600,000 users is being sold on the dark web currently.
The email provider has confirmed about the attack. The news of the Email.it hack came to light on Sunday, when the hackers posted on Twitter to promote a website on the dark web where they were selling the company’s data.
The hackers known as NN (No Name) Hacking Group claimed that the actual breach occurred more than two years ago, in January 2018. They took all possible sensitive data from the server and gave the email provider a chance to patch their flaws for a bounty. The company refused to contact the hackers and continued to fool their customers. They also did not inform their users regarding the breach.
The hackers posted a message on their site that they tried to extort Email.it on February 1, when they asked for “a little bounty.”
According to a spokesperson at Email.it, the company refused to pay and instead notified the Italian Postal Police (CNAIPIC).
The hackers when their extortion attempt was failed has now decided to sell the company’s data for price that varies between 0.5 and 3 bitcoins ($3,500 and $22,000).
The hackers have 46 databases under their control which they stole from Email.it’s systems. They stated that these databases contain information on users who signed up for a free Email.it email account.
It contains plaintext passwords, security questions, email content, and email attachments for more than 600,000 users who signed up and used the service between 2007 to 2020.
The hackers also have the plaintext SMS messages sent by the users through Email.it’s SMS-sending service. Moreover, they also exfiltrated the source code of all Email.it’s web apps, including admin and customer-facing applications.
Email.it however did not oppose any claims made by the hackers. They just clarified that no financial information was stored on the hacked server. They also assured that no business accounts were affected.
According to the company, the attack only concerned a server with administrative data. They finally patched the server and notified the required authorities, including the country’s local data privacy regulator.