A data breach, that lead to the theft of the private personal information of over 600,000 Email.it account holders has, resulted in the data being made available for purchase on the dark web.
When it was revealed on Twitter on April 5 that the information was available for purchase the company became aware of what had taken place. It is believed, based on the claims of the hackers, that 46 databases have been breached that contain plain text passwords, email content, and email attachments of users who subscribed for a free Email.it account at some point between 2007 and 2020. Along with this the cybercriminals also said they stolen the source code of all Email.it’s web apps, including administration and customer-facing applications.
The group, known as the NN (No Name) Hacking Group, claim that they first infiltrated the databases in January 2018. In a statement, posted on the group’s website, they said: “We breached Email.it Datacenter more than 2 years ago and we plant our self like an APT. We took any possible sensitive data from their server and after we chose to give them a chance to patch their holes asking for a little bounty. They refused to talk with us and continued to trick their users/customers. They didn’t contacted their users/customers after breaches!”
A statement was made available by Email.it in response to the allegations of the group saying the company did not dispute any of the claims on the hacker’s website. The only clarification the company made was to emphasise that no financial information was held on the hacked server.: “Unfortunately, we must confirm that we have suffered a hacker attack. The attack only concerned a server with administrative data (billing addresses and data for service communications).”
Another message published on their website claimed that they first asked for a ransom from Email.it in February of this year. However, Email.it chose not to pay the fee and, instead, contacted law enforcement agencies to inform them of the extortion attempts instead. The company confirmed that the Italian Postal Police (CNAIPIC) are aware of the hacking incident.
The information is now available for purchase on the dark web for a fee of between between 0.5 and 3 Bitcoin (around $3,500 to $22,000).
Email.it are facing significant penalties for breaching the European Union’s General Data Protection Regulation (GDPR). The financial penalties applicable can go up to €20m or 4% of annual global turnover for the immediately previous financial year, whichever figure is higher.