Email.it Data Breach Exposes 600,000 Users – Expert Commentary

It has been announced that the Italian email provider Email.it and now the data of more than 600,000 users is being sold on the dark web.

Experts Comments

April 07, 2020
Ed Macnair
CEO
Censornet
Email.it has failed its users more than once in this case. In the first instance, the email provider has not protected the sensitive data of its customers and then, despite the breach happening two years ago, the company has not warned users they are at risk. It is simply unacceptable that the provider has violated the trust of its users in this way and they had to find out via Twitter. It is particularly worrying that the leaked information, which includes passwords, security questions,.....Read More
Email.it has failed its users more than once in this case. In the first instance, the email provider has not protected the sensitive data of its customers and then, despite the breach happening two years ago, the company has not warned users they are at risk. It is simply unacceptable that the provider has violated the trust of its users in this way and they had to find out via Twitter. It is particularly worrying that the leaked information, which includes passwords, security questions, email content and attachments, is now being sold over the dark web to the highest bidder. More than 600,000 customers are now at risk of highly targeted and sophisticated Account Takeover attacks with huge financial implications. It is so important that companies take responsibility for the sensitive information of their users and have visibility and control over these large databases to keep them secure. A multi-layered security posture that combines best practice policies and employee awareness with the right technology is crucial to preventing these leaks. All Email.it users should immediately implement multi-factor authentication in order to add an extra layer of security to their accounts.  Read Less
April 08, 2020
Anna Russell
EMEA VP
comforte AG
There are two ways to look at this – from a personal perspective and from a business perspective. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. The best way to protect yourself is to use different passwords for all your online accounts and change them regularly. Otherwise, if one is compromised, then you can assume they’ve all been compromised. And from a business perspective, the reality is that.....Read More
There are two ways to look at this – from a personal perspective and from a business perspective. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. The best way to protect yourself is to use different passwords for all your online accounts and change them regularly. Otherwise, if one is compromised, then you can assume they’ve all been compromised. And from a business perspective, the reality is that it’s just not possible to be 100% secure. With an ever-growing attack surface, classic network protection is not the best way forward. Sometimes you won’t even notice you’ve been breached. In the end, the most important thing to do is to protect your customers' data. Encryption and tokenization are actually more important than access security, because the data would be protected in a way that makes the data meaningless and worthless to a hacker or bad actor. The encrypted or tokenized data could not be listed for sale on the dark web because the data would be undecipherable. The takeaway should be – “If you collect it, protect it.” Sensitive data should *not* be accessible by everyone, and, sensitive data should *not* be stored in its clear-text format no matter if it is in your secured network, in the cloud, or in databases. Sensitive data should *not* be accessible by everyone, and, sensitive data should *not* be stored in its clear-text format no matter if it is in your secured network, in the cloud, or in databases.  Read Less
April 08, 2020
James Carder
Chief Information Security Officer & Vice President
LogRhythm Labs
This is an unfortunate incident all around. We have a provider of email services that not only has access to all of their customers’ personally identifiable information (PII), including usernames and passwords, but also of their emails and the content within those emails. As anybody who has been in the industry long enough knows, people still send sensitive information through email all the time — whether it’s a good practice or not. Email.it’s claim that no financial information was.....Read More
This is an unfortunate incident all around. We have a provider of email services that not only has access to all of their customers’ personally identifiable information (PII), including usernames and passwords, but also of their emails and the content within those emails. As anybody who has been in the industry long enough knows, people still send sensitive information through email all the time — whether it’s a good practice or not. Email.it’s claim that no financial information was stored on the hacked server isn’t completely accurate. It’s likely that some of their customers shared sensitive data in the body of an email or in attachments. This very well could have included financial details, like bank statements and social security numbers, or even copies of driver’s licenses, pictures of their families, or other personal documents and information that could be exploited. Therefore, the attackers gained unfettered access to this information, bypassing any security and encryption controls in use — assuming there were some. What makes this especially upsetting is the amount of time the attackers had access to this environment. They were able to gain a toehold into it and simply sit and collect data for over two years, waiting for the best and most opportune time to strike while Italy is in complete lockdown amidst a pandemic, with users heavily leveraging the company’s platform. Since becoming aware of the breach, the company was given ample time and opportunity to rectify it, such as through patching and remedying the exploited vector(s) the attackers were using. They could have rebuilt systems and infrastructure. They could have hired forensics and incident experts to identify the issues and remediate. Instead, they chose to notify authorities and then do nothing else. I think that in addition to the brand damage they’ll experience as the result of the breach, they should be worried about the negligence associated with their lack of action. In the end, this is another classic breach story where there were likely IT hygiene issues that exposed vulnerabilities the attackers could leverage, combined with a complete lack of monitoring, detection, and response capabilities that would have alerted the company early on to what was happening and giving them even more opportunity to do something about it.  Read Less
April 08, 2020
Anna Russell
EMEA VP
comforte AG
There are two ways to look at this – from a personal perspective and from a business perspective. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. The best way to protect yourself is to use different passwords for all your online accounts and change them regularly. Otherwise, if one is compromised, then you can assume they’ve all been compromised. And from a business perspective, the reality is that.....Read More
There are two ways to look at this – from a personal perspective and from a business perspective. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. The best way to protect yourself is to use different passwords for all your online accounts and change them regularly. Otherwise, if one is compromised, then you can assume they’ve all been compromised. And from a business perspective, the reality is that it’s just not possible to be 100% secure. With an ever-growing attack surface, classic network protection is not the best way forward. Sometimes you won’t even notice you’ve been breached. In the end, the most important thing to do is to protect your customers' data. Encryption and tokenization are actually more important than access security, because the data would be protected in a way that makes the data meaningless and worthless to a hacker or bad actor. The encrypted or tokenized data could not be listed for sale on the dark web because the data would be undecipherable. The takeaway should be – “If you collect it, protect it.” Sensitive data should *not* be accessible by everyone, and, sensitive data should *not* be stored in its clear-text format no matter if it is in your secured network, in the cloud, or in databases. Sensitive data should *not* be accessible by everyone, and, sensitive data should *not* be stored in its clear-text format no matter if it is in your secured network, in the cloud, or in databases.  Read Less
April 08, 2020
Jake Moore
Cybersecurity Specialist
ESET
Limiting the amount of data hitting the dark web is nearly impossible once it’s out. However, it’s about how you handle the compromise and it’s noble how this company dealt with the threats. Companies should not be pressured into negotiating with cyber criminals and it’s refreshing to see a company not bowing to pressures.
April 08, 2020
Stuart Sharp
VP of Solution Engineering
OneLogin
This is of course a significant worry for users of Email.it, and for the company itself whose brand reputation and security posture will suffer as a result of this breach. They may also find themselves in breach of legislation such as GDPR, which could incur fines sizeable enough to have a serious affect on the company’s bottom line. Applying proactive measures such as two-factor authentication and other access controls as part of an enterprise’s standard privacy requirements can help to.....Read More
This is of course a significant worry for users of Email.it, and for the company itself whose brand reputation and security posture will suffer as a result of this breach. They may also find themselves in breach of legislation such as GDPR, which could incur fines sizeable enough to have a serious affect on the company’s bottom line. Applying proactive measures such as two-factor authentication and other access controls as part of an enterprise’s standard privacy requirements can help to stop or mitigate the harm caused by incidents such as this. The data now hosted on dark web forums will move into the cybercriminal supply chain, working as fuel for further breaches, phishing attacks, malware distribution, data harvesting and in the most extreme cases wholesale identity theft. Stopping these breaches at the source will work to stop the cycle starting again, but in the meantime, Email.it needs to assist every user affected by the breach, urging them to ensure they update their credentials on any websites where they have used the same password, enable two-factor authentication on as many websites as possible, and consider signing up for a free credit rating monitor service.  Read Less
April 08, 2020
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
People’s digital lives are increasingly held in their hands and powered by free services like public email providers and social media platforms. The security resources available to any platform, including the level of talent they can attract, is a function of their revenue streams. Ideally, all service providers will perform real-time audits for abnormal traffic patterns based on the potential threats to their business. Customers assume such security reviews are part of normal business and.....Read More
People’s digital lives are increasingly held in their hands and powered by free services like public email providers and social media platforms. The security resources available to any platform, including the level of talent they can attract, is a function of their revenue streams. Ideally, all service providers will perform real-time audits for abnormal traffic patterns based on the potential threats to their business. Customers assume such security reviews are part of normal business and that they’ll detect any attempts to access customer data – an expectation that isn’t related to the fees paid for the service. So for any consumer electing to use any free service, the first question you should be asking is how they’re going to protect whatever data you’re providing them. If it’s not obvious how they can afford to both pay for the security services necessary to combat modern cyber threats and hire skilled staff to monitor for new threats, then perhaps there is a better provider.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.