The users’ personal data are now up for grabs on the dark web for anywhere between US$3,500 and US$22,000 worth of Bitcoin.
The personal details of more than 600,000 Email.it users have been stolen and put up for sale on the dark web. The incident surfaced on Sunday after the perpetrators took to Twitter to spread the word about the website that sells the data.
“Unfortunately, we must confirm that we have suffered a hacker attack,” confirmed the Italian email provider in a statement to ZDNet, which broke the story.
The hacker collective that claimed responsibility goes by the moniker “No Name”, or “NN” for short. The group said that the breach occurred way back in January 2018. They went on to claim on their website that they contacted Email.it about loopholes in the firm’s infrastructure and asked for a “little bounty”, but the Italian email provider refused to communicate with them.
Another message on their website stated that they tried to extort the company on February 1st of this year. An Email.it spokesperson confirmed as much, but the company refused to play ball and contacted the authorities instead.
According to the hackers’ claims, they now have control of 46 databases that contain plain text passwords, email content, and email attachments of users who signed up for a free Email.it account between 2007 and 2020.
RELATED READING: Cybercrime black markets: Dark web services and their prices
The collective additionally claimed that it was able to access plain text SMS messages that were sent out using the company’s text sending service, as well as get a hold of the source code of all of Email.it’s web apps.
On the bright side, no financial data were stored on the hacked servers, nor were any business accounts impacted by the breach.
As of now, the affected servers should be patched and the relevant authorities, including the local data privacy regulator, have been notified.
The incident may bring echoes of an unrelated attack at a US-based email provider VFEmail last year, where the bad actors went even further and wiped out almost two decades’ worth of data from the firm’s servers.