Cyber Incident Victim: Fastmail
Date:
Nov 2015
Location:
Australia
Summary
FastMail experienced multiple distributed denial of service (DDoS) attacks accompanied by a ransom demand of 20 Bitcoin to cease the offensive. The company refused to pay, citing a policy against extortion, and activated mitigation strategies that initially restored services before subsequent attacks resumed. Service disruptions occurred during these incidents, mirroring similar attacks on other email providers including Runbox, Zoho, Hushmail, and ProtonMail. The attacker sought financial gain through disruption, though FastMail maintained preparedness to adapt defenses based on prior DDoS experience and publicly affirmed its commitment to resisting such criminal tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The distributed denial of service (DDoS) attacks against FastMail commenced in the early hours of November 8, 2015, disrupting services for the Australian-based premium email provider. The initial attack overwhelmed systems, forcing partial service outages before FastMail implemented pre-established mitigation strategies to neutralize the assault. Approximately 24 hours later, the same attacker launched a renewed offensive coinciding with an extortion demand for 20 Bitcoins (equivalent to approximately £7,500 at the time), threatening continued disruption unless payment was made. FastMail publicly refused to negotiate with the assailant, stating it does not respond to extortion attempts and would not comply with ransom demands. The company characterized the attacks as part of a broader campaign targeting multiple email providers, including Runbox, Zoho, Hushmail, and ProtonMail, all subjected to similar DDoS-driven extortion attempts during the same timeframe.
FastMail acknowledged the operational challenge posed by the sustained attacks but emphasized its reliance on existing DDoS mitigation protocols and adaptive response strategies developed from prior incidents. The company cited ProtonMail’s experience—where payment failed to prevent further attacks—as reinforcing its decision to reject the ransom demand. Service disruptions occurred during both attack waves, though the duration and full scope of customer impact were not quantified in public statements. FastMail maintained that its infrastructure preparations enabled partial service continuity despite the offensive, though specific technical countermeasures or third-party mitigation partners were not disclosed. The incident highlighted the attacker’s explicit financial motivation, with FastMail asserting the campaign’s primary objective was monetary gain through coercion rather than data compromise. No evidence suggested customer data breaches or system intrusions beyond the temporary availability issues caused by the volumetric attacks.