"Unfortunately, we must confirm that we have suffered a hacker attack," the Italian email service provider said in a statement to ZDNet on Monday.
Failed extortion attempt
The Email.it hack came to light on Sunday, when the hackers went on Twitter to promote a website on the dark web where they were selling the company's data.
The hackers -- going by the name of NN (No Name) Hacking Group -- claim the actual intrusion took place more than two years ago, in January 2018. We cite from their website:
We breached Email.it Datacenter more than 2 years ago and we plant ourself like an APT. We took any possible sensitive data from their server and after we choosen to give them a chance to patch their holes asking for a little bounty. They refused to talk with us and continued to trick their users/customers. They didn't contacted their users/customers after breaches!
According to another message on their site, the hackers tried to extort Email.it on February 1, when they asked for "a little bounty."
An Email.it spokesperson told ZDNet on Monday that the company declined to pay and instead notified the Italian Postal Police (CNAIPIC).
Following the failed extortion attempt, the hackers are now selling the company's data for an asking price that varies between 0.5 and 3 bitcoin ($3,500 and $22,000).
The hackers claim to be in possession of 46 databases they stole from Email.it's systems.
Per NN, the databases contain information on users who signed up for a free Email.it email account.
The hackers claim the databases contain plaintext passwords, security questions, email content, and email attachments for more than 600,000 users who signed up and used the service between 2007 to 2020.
The hackers also claim to be in possession of plaintext SMS messages sent through Email.it's SMS-sending service.
Furthermore, the hackers also said they exfiltrated the source code of all Email.it's web apps, including admin and customer-facing applications.
Email.it did not contest any of the claims on the hacker's website. The only clarification the company made was to point out that no financial information was stored on the hacked server.
"The attack only concerned a server with administrative data (billing addresses and data for service communications)," Email.it told ZDNet [translated message].
The company said it immediately patched the server and notified authorities, including the country's local data privacy regulator.
Email.it also told ZDNet that no Business accounts were impacted, as information about paid customers was not stored on the hacked server.