CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Email Security

Hacker Erases Email Provider’s Servers, Backups

Email provider VFEmail was hit by a destructive attack, where a hacker who accessed its network was able to erase its servers in the United States, including the backup systems. 

Email provider VFEmail was hit by a destructive attack, where a hacker who accessed its network was able to erase its servers in the United States, including the backup systems. 

“We have suffered catastrophic destruction at the hands of a hacker. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,” the company writes on its website. 

Established in 2001, the company provides email services and claims to provide increased email security through scanning all incoming messages and attachments for viruses and blocking malicious content via a gateway, before reaching its servers.

However, this incident shows that user data was not protected with appropriate measures.

On Monday, the email provider announced that their external facing systems in multiple datacenters were down after a hacker “last seen as [email protected]” started formatting the servers. Based on the IP address, the hacker appears to have been operating out of Bulgaria, but could have been working from anywhere via a VPN.

The company says it might have lost all user data stored on the affected servers. “I fear all US based data may be lost,” a tweet posted yesterday reads. 

The company recommends that users do not attempt to reconnect their own email clients, as all local email will be lost. Following the incident, all mailboxes are emptied. 

“At this time, the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost,” VFEmail said on Twitter. 

Advertisement. Scroll to continue reading.

The company’s servers in the Netherlands, which was 100% hosted with a vastly smaller dataset, survived the attack because the backups by the provider remained intact. This allowed the email provider to restore its service there. 

The hacker was able to destroy all virtual machines despite the fact that not all of them shared the same authentication, the company revealed. 

“This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail said. 

The attack was discovered and stopped at a time the perpetrator was formatting one of the servers, but the company is uncertain whether that specific server is recoverable. At the moment, however, it looks as if most of the company’s infrastructure is lost. 

As Terence Jackson, Chief Information Security Officer at Thycotic, pointed to SecurityWeek in an emailed comment, this might have been either a brute force attack or the result of credential stuffing. To avoid such disasters, production and backup data should never be stored together and both online and offline backups should be kept, he says. 

“This type of attack highlights the importance of having, updating and testing your Disaster Recovery/Business Continuity plans often and using a Privileged Access Management solution. The about page on the site shows a network diagram that does include an offsite backup server attached to the public internet. At this point, I believe we have more questions than answers,” Jackson said.

“This kind of destructive attack, with no stated motive or demands, is quite rare. An organization losing all of their data, and all of their customer data, is a nightmare scenario that could easily put a small company out of business and cause a huge financial impact on a large enterprise. Sony suffered this type of catastrophic destruction in 2014, which was attributed to North Korea,” Chris Morales, head of security analytics at Vectra, told SecurityWeek.

“The first thought that comes to mind is this is a service being sold as a secure email. The second is that if this is secure email then where are the offline backups and archives? Offline backups might not give a full restore to the exact date data was lost, but it would prevent the complete loss of all historical user data. Offline backup is the same strategy organizations are using to counter loss from ransomware,” Morales continued.

“The fact that attackers were able to access and erase all the information demonstrates that the systems were not protected in an effective way. Critical systems, such as these that host customer data, must be protected with enhanced security and all operations must be protected using intelligent Multi-Factor Authentication solutions. If those controls were in place, an operation that deviates from trusted behavior would have raised the friction towards the attackers and provide immutable logs showing that the attack was in progress, allowing VFEmail to react quickly and potentially stop the breach before data was destroyed,” Fausto Oliveira, Principal Security Architect at Acceptto, told SecurityWeek

Related: Destructive Xbash Linux Malware Targets Enterprise Intranets

Related: Ransomware Attack Against Hosting Provider Confirms MSPs Are Prime Targets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.