https://krebsonsecurity.com/2024/02/u-s-internet-leaked-years-of-internal-customer-emails/ Advertisement [7] Advertisement [18] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking U.S. Internet Leaked Years of Internal, Customer Emails February 14, 2024 21 Comments The Minnesota-based Internet provider U.S. Internet Corp. has a business unit called Securence, which specializes in providing filtered, secure email services to businesses, educational institutions and government agencies worldwide. But until it was notified last week, U.S. Internet was publishing more than a decade's worth of its internal email -- and that of thousands of Securence clients -- in plain text out on the Internet and just a click away for anyone with a Web browser. Headquartered in Minnetonka, Minn., U.S. Internet is a regional ISP that provides fiber and wireless Internet service. The ISP's Securence division bills itself "a leading provider of email filtering and management software that includes email protection and security services for small business, enterprise, educational and government institutions worldwide." [securence-home] U.S. Internet/Securence says your email is secure. Nothing could be further from the truth. Roughly a week ago, KrebsOnSecurity was contacted by Hold Security, a Milwaukee-based cybersecurity firm. Hold Security founder Alex Holden said his researchers had unearthed a public link to a U.S. Internet email server listing more than 6,500 domain names, each with its own clickable link. [USI-customers] A tiny portion of the more than 6,500 customers who trusted U.S. Internet with their email. Drilling down into those individual domain links revealed inboxes for each employee or user of these exposed host names. Some of the emails dated back to 2008; others were as recent as the present day. Securence counts among its customers dozens of state and local governments, including: nc.gov -- the official website of North Carolina; stillwatermn.gov, the website for the city of Stillwater, Minn.; and cityoffrederickmd.gov, the website for the government of Frederick, Md. Incredibly, included in this giant index of U.S. Internet customer emails were the internal messages for every current and former employee of U.S. Internet and its subsidiary USI Wireless. Since that index also included the messages of U.S. Internet's CEO Travis Carter , KrebsOnSecurity forwarded one of Mr. Carter's own recent emails to him, along with a request to understand how exactly the company managed to screw things up so spectacularly. [uswireless-inboxes] Individual inboxes of U.S. Wireless employees were published in clear text on the Internet. Within minutes of that notification, U.S. Internet pulled all of the published inboxes offline. Mr. Carter responded and said his team was investigating how it happened. In the same breath, the CEO asked if KrebsOnSecurity does security consulting for hire (I do not). [Author's note: Perhaps Mr. Carter was frantically casting about for any expertise he could find in a tough moment. But I found the request personally offensive, because I couldn't shake the notion that maybe the company was hoping it could buy my silence.] Earlier this week, Mr. Carter replied with a highly technical explanation that ultimately did little to explain why or how so many internal and customer inboxes were published in plain text on the Internet. "The feedback from my team was a issue with the Ansible playbook that controls the Nginx configuration for our IMAP servers," Carter said, noting that this incorrect configuration was put in place by a former employee and never caught. U.S. Internet has not shared how long these messages were exposed. "The rest of the platform and other backend services are being audited to verify the Ansible playbooks are correct," Carter said. Holden said he also discovered that hackers have been abusing a Securence link scrubbing and anti-spam service called Url-Shield to create links that look benign but instead redirect visitors to hacked and malicious websites. [securence-urlshield] "The bad guys modify the malicious link reporting into redirects to their own malicious sites," Holden said. "That's how the bad guys drive traffic to their sites and increase search engine rankings." For example, clicking the Securence link shown in the screenshot directly above leads one to a website that tries to trick visitors into allowing site notifications by couching the request as a CAPTCHA request designed to separate humans from bots. After approving the deceptive CAPTCHA/notification request, the link forwards the visitor to a Russian internationalized domain name (rproag[.]rf). [badcaptcha-usinternet] The link to this malicious and deceptive website was created using Securence's link-scrubbing service. Notification pop-ups were blocked when this site tried to disguise a prompt for accepting notifications as a form of CAPTCHA. U.S. Internet has not responded to questions about how long it has been exposing all of its internal and customer emails, or when the errant configuration changes were made. The company also still has not disclosed the incident on its website. The last press release on the site dates back to March 2020. KrebsOnSecurity has been writing about data breaches for nearly two decades, but this one easily takes the cake in terms of the level of incompetence needed to make such a huge mistake unnoticed. I'm not sure what the proper response from authorities or regulators should be to this incident, but it's clear that U.S. Internet should not be allowed to manage anyone's email unless and until it can demonstrate more transparency, and prove that it has radically revamped its security. This entry was posted on Wednesday 14th of February 2024 11:45 AM A Little Sunshine Data Breaches Latest Warnings alex holden Hold Security Securence Travis Carter U.S. Internet Corp. Post navigation - Fat Patch Tuesday, February 2024 Edition 21 thoughts on "U.S. Internet Leaked Years of Internal, Customer Emails" 1. JF February 14, 2024 Wow! 'You never cease to amaze me' John to Sherlock Reply - 2. Craig Lewis February 14, 2024 So much for Change Management and Internal Audit doing their jobs. The CIO, CISO (if they have one), all senior IT staff, IT Security, and IT Audit should be fired. Reply - 3. W Brunson February 14, 2024 You write that "this incorrect configuration was put in place by a former employee and never caught." Is it possible that the former employee was disgruntled and left a logic bomb along with his resignation? Or are the company's vulnerability scans just checkbox items that are never really used to find vulnerabilities? Reply - 1. Miso February 14, 2024 Fair point on change management controls failing, but remember that Internal Audit is at best a detective control and is not tasked with live monitoring of all processes. Reply - 4. Ivor Hewitt February 14, 2024 Re "The timestamps listed do not appear to be accurate somehow" Is it that the timestamps are showing the time the folder was created, not the time of the contents. Reply - 1. BrianKrebs Post authorFebruary 14, 2024 I don't think so because in a lot of cases where you drill down into the actual inboxes below and you find much more recent timestamps. But perhaps you're right for the main index page. Honestly, their systems were so screwed up it's hard to explain a lot about this. Reply - 1. GBB February 14, 2024 I can confirm that the date is the time created. As a former employee of a company that maintained the Securence partnership, the date matches when we added the managed domain to Securence. Reply - 2. Matt February 14, 2024 I would agree to this. This is the date the folder was created. The emails and subfolders would have the date they were created. So some of these URLs date back to 2008. Simply wow is all I got. Reply - 5. Quid February 14, 2024 Ignorance, Incompetence, Arrogance, Parsimony or just plain Stupidity? What about notification to CISA or similar? https://www.cisa.gov/ report Reply - 6. Kathy Marshall February 14, 2024 So many companies are failing at their core competency, experion, Boeing... are we so complicated that this is what we should expect? Or could they be so focused on their stock performance that they forget what is important. Reply - 1. Gman February 14, 2024 Speaking of stock performance: I did some limited checking and could not determine if they are publicly held. If they are it will be interesting to read about it in their SEC disclosure. Reply - 2. G Benkler February 14, 2024 Speaking of stock performance: I did some limited checking and could not determine if they are publicly held. If they are it will be interesting to read about it in their SEC disclosure. Reply - 7. D Cooker February 14, 2024 Did it have the actual emails of their customers or just the US Internet emails? Reply - 1. BrianKrebs Post authorFebruary 14, 2024 Both Reply - 8. Lazlo February 14, 2024 Does this sound like it just affected their email/IMAP customers? They also have Business Continuity and Shadowing in their Securence spam filter. So that technically holds email. Is that list still available somewhere to check for compromised domains? Reply - 1. BrianKrebs Post authorFebruary 14, 2024 Here is a list of the customers I found with the original link Holden shared. However, this list should not be considered exhaustive or complete by any means. Changing the URL slightly by incrementing or decrementing a number in the URL caused a slightly different set of customers to be listed. I didn't have a chance to go through it all before they took it down (note to self: pillage BEFORE burning). https://docs.google.com/spreadsheets/d/ 1wgKe1VrfNF8Afav1aJtMrZDeNuqBtSFku58fWlCBp6Q/edit?usp=sharing Reply - 1. Steven February 14, 2024 I know of a few of the domains on that list and they are customers of their "secure" email gateway service Reply - 2. TimH February 14, 2024 There are a number of law firms on your list there that will not be happy. First one: https://www.2027law.com/ "BOUTIQUE LAW FIRM Specializing in Commercial Litigation, Business Law, and Real Estate". Reply - 1. TimH February 14, 2024 ...and medical. Who else has read the emails from minneapolisplasticsurgery.com ? Reply - 9. A USI Customer February 14, 2024 This is very disappointing for me personally, as USI was my very first ISP back in like 1995, and I currently use their fiber to the home service. At least I didn't use their email services. Reply - 10. Richard Turnbull February 14, 2024 Great job Brian, and anyone aiming to try to essentially bribe you for nondisclosure must really have NO IDEA of your already stellar record of instantiating top journalistic ethics, as well as having to deal with some of the "worst of the worst" over the years, that's for sure! All of which they could discover at least something about just by "googling Brian Krebs on Security" - ironically enough. Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [22] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * U.S. Internet Leaked Years of Internal, Customer Emails * Fat Patch Tuesday, February 2024 Edition * Juniper Support Portal Exposed Customer Device Info * From Cybercrime Saul Goodman to the Russian GRU * Arrests in $400M SIM-Swap Tied to Heist at FTX? Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Internet of Things (IoT) * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Russia's War on Ukraine * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 Why So Many Top Hackers Hail from Russia [computered-580x389] (c) Krebs on Security - Mastodon