Pierluigi Paganini April 07, 2020

A database stolen from the Italian email provider Email.it containing more than 600,000 users is available for sale on the dark web.

The Italian email provider Email.it has been hacked, the company admitted the incident while a hacker group named NN Hacking Group is offering the stolen data for sale on the dark web.

The group shared a series of snapshots on the dump on Twitter claiming that the hack is dated back January 2018, the hacker group also claimed that since then the email provider is still storing users’ passwords in plain text.

If confirmed, the situation is very serious because the email provider has never disclosed a data breach even if it was obliged by the European privacy legislation GDPR. I have an active account with Email.it and I still haven’t received any data breach notice from the provider.

The dump available for sale in the dark web includes 44 databases containing usernames and plain text passwords, security questions, email messages and related attachments for all 600K email accounts, and SMS and Fax in clear text sent and received by the users. The databases contain data on users who signed up for a free Email.it email account, so-called professional accounts were not impacted.

According to the company, no financial information was stolen by the hackers.

On Sunday the NN Hacking Group announced the hack and shared the link of a Tor service where they were selling the stolen data.

“We breached Email.it Datacenter more than 2 years ago and we plant ourself like an APT. We took any possible sensitive data from their server and after we choosen to give them a chance to patch their holes asking for a little bounty. They refused to talk with us and continued to trick their users/customers. They didn’t contacted their users/customers after breaches!” reads the message published by the group on its website.

It seems that the hackers attempted to blackmail the Italian provider threatening to release the stolen data, but the company refused to pay and reported the incident to the Italian Postal Police.

Then the group of hackers decided to attempt to sell the Email.it data online for a price that varies between 0.5 for the list of credentials up to d 3 bitcoin for the entire dump containing the messages and the SMS/FAX ($3,500 and $22,000).

The hackers also claim to have stolen the source code of all Email.it’s web apps.

At the time of writing, the company confirmed to have secured its server and to have reported the incident to the local authorities, including the privacy watchdog.

Updated 07 April, 2020

I contacted the group of hackers to have more info on the hack:

Q: Did you hack the provider?

A: Yes, we breached http://Email.it datacenter

Q: Could you give me more details about the hack? Which kind of issues did you exploit?

A: Many ones. We chained multiple issues, including SQL Injection, code execution, privilege escalation and so on.

Q: Why did you hack Email.?

A: We targeted and breached other providers of course. Email. It was the worst in terms of security so we have chosen to public that. Email.it refused to reply us also if we proposed to help them to fix the vulns after a “bounty” payment.

Q: Did you try to contact the company?

A: Yes, many times from beginning 2020 but they refused to reply us.

Q: When the server was hacked? Are data up to date?

A: Yes, data up to date. DB is from 2020

Pierluigi Paganini

(SecurityAffairs – Email.it, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]