The private personal information of over 600,000 Email.it account holders has been illegally obtained and made available for purchase via the dark web.
The breach was revealed on Sunday, April 5, following a tweets broadcast by the groups responsible when they revealed the range of data stolen and available for purchase. The hackers are claiming that they now have control of 46 databases that contain plain text passwords, email content, and email attachments of users who signed up for a free Email.it account between 2007 and 2020. Furthermore, the hackers also said they exfiltrated the source code of all Email.it’s web apps, including admin and customer-facing applications.
The cybercriminal group, referring to themselves as the NN (No Name) Hacking Group, claim that the initial breach was accomplished in 2018, January. The statement, published on their own website, claimed: “We breached Email.it Datacenter more than 2 years ago and we plant ourself like an APT. We took any possible sensitive data from their server and after we choosen to give them a chance to patch their holes asking for a little bounty. They refused to talk with us and continued to trick their users/customers. They didn’t contacted their users/customers after breaches!”
Email.it issued a statement responding to the claims of the group saying the company did not contest any of the claims on the hacker’s website. The only clarification the company made was to point out that no financial information was stored on the hacked server. It said: “Unfortunately, we must confirm that we have suffered a hacker attack. The attack only concerned a server with administrative data (billing addresses and data for service communications).”
A separate message on their website claimed that they initially requested a ransom from Email.it in February of this year. However, Email.it opted not to meet the demands and made law enforcement agencies aware of the extortion attempts instead. An Email.it spokesperson told ZDNet that they have made the Italian Postal Police (CNAIPIC) aware of the hacking incident.
NN Hacking Group have now made the information available for purchase via the dark web for between 0.5 and 3 Bitcoin (around $3,500 to $22,000).
This could have serious implications for Email.it given the implications of the European Union’s General Data Protection Regulation (GDPR). The penalties possible under this legislation can be as high as €20m or 4% of annual global turnover for the previous financial year.