At the time it is not clear if the hacker belongs to a cyber crime gang, it claims to have stolen a “significant” amounts of data from the company.
AmFearLiathMor also wrote that ProtonMail hasn’t configured the mandatory Subresource Integrity (SRI) allowing tampering and data collection.
“We hacked Protonmail and have a significant amount of their data from the past few months. We are offering it back to Protonmail for a small fee, if they decline then we will publish or sell user data to the world.” wrote the hacker.
“While Protonmail’s open-source code can be freely audited on Github, they haven’t configured the mandatory SRI feature (https://www.w3.org/TR/SRI/). This leaves users without any guarantee about their source code integrity, thus allowing tampering and data collection at anytime. This will be totally transparent and unnoticed, because without enabling SRI all the users should inspect the website runtime code and its connections manually in the same moment they’re being tampered with by Protonmail to discover it.”
“Incidentally during this period we noticed that Protonmail sends decrypted user data to American servers frequently. This may be due to the Swiss MLAT treaty requiring swiss companies reveal all their data to the Americans. However it also might be possible they are sending this decrypted user data to the American firm that owns them. This was simply a surprising thing to note but did not significantly influence our operation.” added the hacker.
ProtonMail denied having been hacked that added that this is just a hoax.
This extortion attempt is a hoax and have seen zero evidence to suggest otherwise.
— ProtonMail (@ProtonMail) November 16, 2018
Below the ProtonMail reply to a Reddit thread:
“This extortion attempt is a hoax and we have seen zero evidence to suggest otherwise.” states the company.
“A closer reading of some of the claims, e.g. “circumventing the Geneva convention, underwater drone activities in the Pacific Ocean, and possible international treaty violations in Antarctica”, etc, should also cause a reasonable observer to draw the same conclusion.”
ProtonMail confirmed to be aware of a limited number of hacked accounts that have been compromised likely through credential stuffing of phishing attacks, but excluded that its systems have been breached.
“As many of you may be aware, earlier today, criminals attempted to extort ProtonMail by alleging a data breach, with zero evidence. An internal investigation turned up two messages from the criminals involved, which again repeated the allegations with zero evidence, and demanded payment. We have no indications of any breach from our internal infrastructure monitoring.” wrote the company.
“Like any good conspiracy theory, it is impossible to disprove a breach. On the other hand, a breach can be easily proven by providing evidence. The lack of evidence strongly suggests there is no breach, and this is a simple case of online extortion.”
The hackers are claiming they have data on Michael Avenatti and CNN employees.
The hacker is also offering $20 USD in bitcoin for spreading info about the alleged hack using the #Protonmail hashtag on Twitter.
This is a very strange and anomalous scam attempt, the hackers used a mix of appealing info and political data. Why mention Avenatti in a scam attempt? Is it a message to someone? Why hackers did not publish a sample of stolen data?
(Security Affairs – Protonmail, hacking)