Out of luck: VFEmail breached again

Cybersecurity News Data Breach Data Leak Infosec Email vfemail breach

In July 2020, a dump containing 923,276 VFEmail accounts with passwords was added to our breach monitoring service database. Some passwords are SHA512-encrypted, meaning they are hard to crack, while others are MD5-encrypted and can be compromised easily. This website has been breached in April 2020 and its user data has been sold privately on the dark web.

VFEmail users have reported security and usability issues earlier this year. In March 2020, a user reported losing access to his email, “I have been hacked, meaning someone changed not only my password but also got into my secret question, it wouldn’t bother me, except this is a paid account. I don’t need someone to reset my password, just help me reset my question and answer, so I can do it again.”

In June 2020 the users talked about problems with logging in and signing in, which may have been the result of April’s data breach.

A Milwaukee-based secure email provider VFEmail was founded in 2001. This small independent company was often mentioned among the safest and most recommended services for the dark web. But VFEmail was unfortunate to suffer a devastating breach in February 2019. According to the company, “the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost.” “This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy.”

The company’s founder Rick Romero wrote: “I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”

The criminals accessed the whole VFEmail’s infrastructure: mail hosts, machine hosts, and an SQL server cluster. About two decades of data were cold-heartedly wiped out. Romero said: “There definitely was something that somebody didn’t want found. Or, I really pissed someone off. That’s always possible.”

Two-factor authentication didn’t stop the hacker. The intruder likely had multiple passwords to assess different company’s systems. None of the passwords were matching or weak, according to Romero.

The service’s operations were restored, but they were targeted again in November 2019

VFEmail’s case shows that even safety-focused companies can experience vicious attacks that won’t ever allow them to recover. Users should be proactive in protecting their data and choose services that effectively resolve security issues. Also, dark web monitoring service by Breach Report allows users and companies to receive notifications if their emails are breached and take appropriate measures until it’s too late.