The private personal information of more 600,000 Email.it users has been stolen and offered for sale on the dark web.
The breach was first discovered on Sunday, April 5, after a tweet was shared by the groups responsible stating the types of data that were stolen and made available for purchase. The hackers are stating that they now have 46 databases that include plain text passwords, email content, and email attachments of users who registered for a free Email.it account between 2007 and 2020. In addition to this, the hackers also said they stole the source code of all Email.it’s web apps, including admin and customer-facing applications.
The hacking group, going by the title NN (No Name) Hacking Group claims that the first breach occurred in January 2018. The statement, published on their own website, stated: “We breached Email.it Datacenter more than 2 years ago and we plant ourself like an APT. We took any possible sensitive data from their server and after we choosen to give them a chance to patch their holes asking for a little bounty. They refused to talk with us and continued to trick their users/customers. They didn’t contacted their users/customers after breaches!”
Email.it published a statement addressing the claims of the group, and said they did not refute any of the claims on the hacker’s website. The only clarification the company made was to confirm that no financial information was held on the hacked server. It stated: “Unfortunately, we must confirm that we have suffered a hacker attack. The attack only concerned a server with administrative data (billing addresses and data for service communications).”
A different message on their website claimed that they initially asked for a ransom from Email.it on February of this year. However, Email.it decided not to meet the demands and made law enforcement agencies aware of the extortion attempts instead. An Email.it spokesperson confirmed to ZDNet that they have made the Italian Postal Police (CNAIPIC) aware of the hacking incident.
NN Hacking Group has now made the data available for purchase via the dark web for between 0.5 and 3 Bitcoin (around $3,500 to $22,000).
This could have serious consequences for Email.it given the implications of the European Union’s General Data Protection Regulation (GDPR). The fines that may be applied under this legislation can be as high as €20m or 4% of annual global turnover for the past financial year.