Cyber Incident Victim: Email.it
Date:
Jan 2018
Location:
Italy
Summary
A major Italian email service provider suffered a cybersecurity breach where attackers exfiltrated data from over 600,000 free account holders, later offering it for sale on the dark web following an unsuccessful extortion attempt. The compromised information included plaintext passwords, security questions, email contents with attachments, SMS messages sent through the platform, and source code for both administrative and customer-facing web applications. While the company confirmed the breach impacted a server containing administrative data, it clarified that financial information and paid business accounts remained unaffected as they were stored separately. After refusing the ransom demand, the provider addressed the vulnerability, notified law enforcement, and reported the incident to data privacy regulators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Email.it breach involved unauthorized access to the Italian email service provider’s systems, leading to the theft of data belonging to over 600,000 users. The incident came to light in early 2020 when hackers listed the stolen data for sale on the dark web, with an asking price ranging from 0.5 to 3 bitcoin (approximately $3,500 to $22,000 at the time). Email.it confirmed the attack in a statement to ZDNet on April 6, 2020, disclosing that the hackers had initially attempted extortion on February 1, 2020, by demanding "a little bounty." The company refused the payment demand and instead reported the incident to the Italian Postal Police (CNAIPIC). Following the failed extortion, the attackers proceeded to monetize the data. Email.it clarified that the compromised server contained administrative data but no financial information, and that business accounts were unaffected as paid customer data was stored separately. The company patched the breached server and notified relevant authorities, including Italy’s data privacy regulator.
The attackers claimed to have exfiltrated 46 databases containing records of users who registered for free Email.it accounts between 2007 and 2020. These databases allegedly included plaintext passwords, security questions, email contents, attachments, SMS messages sent through Email.it’s SMS service, and the source code for all web applications, including administrative and customer-facing platforms. Email.it did not dispute the hackers’ assertions regarding the nature of the stolen data. The exposure of plaintext credentials and security questions posed significant risks to user privacy and account security, while the theft of source code raised concerns about potential future exploits against the company’s infrastructure. The breach exclusively impacted free account holders, as paid business customer data resided on separate systems untouched by the intrusion. Email.it’s public response emphasized containment efforts, including server remediation and regulatory notifications, but did not detail prior security measures or the specific vulnerability exploited.