2 min Security

Researchers find 12.5 million unprotected business mailboxes

Researchers find 12.5 million unprotected business mailboxes

More than 12 million email archive files are accessible due to misconfigured rsync, FTP, SMB, S3 bucket and NAS. That’s what Digital Shadows says after investigating the methods used by cybercriminals to access business e-mail.

The security company therefore indicates that the malicious parties do not need to work with large-scale phishing campaigns, as companies make it very easy for them. By improperly storing email archives, employees expose sensitive, personal and financial information. The researchers found 27,000 invoices, 21,000 payment files and 7,000 purchase orders that were publicly accessible.


Especially financial professionals would have a hard time. Digital Shadows discovered 33,568 email addresses of financial departments circulating in cybercriminal forums. 83 percent of these were offered in combination with passwords. The malicious parties mainly look for business e-mail addresses with common prefixes. Think for example of ‘accounting@’ or ‘invoice@’. For example, one person offered $5,000 (€4,350) on a combination of a username and password.

In addition, Digital Shadows sees that some malicious parties outsource the work. Business E-mail Comprimise (BEC) as a Service is widely offered at $150. The data will be delivered within a week. Some criminals offer a percentage of turnover in exchange for access to mailboxes.

Difficult to prevent

Digital Shadows-CISO Rick Holland concludes that millions of companies are currently vulnerable due to configuration errors and the online circulation of email addresses and passwords. He calls the return on the theft of this sensitive information high. “We have noticed that cybercriminals are actively working together to target specific companies,” says Holland.

Such problems can never be completely avoided, says Holland. However, organisations can optimise internal processes in order to keep the publication of their data to a minimum.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.