Unknown intruders have breached servers of US-based email provider VFEmail.net and destroyed all the data of its US customers in what the company has described as a “catastrophic destruction”.
According to VFEmail, hackers did not demand a ransom, nor attempt to steal users’ confidential data, so the motive behind the damage would appear to be sabatage, although the reason is unclear at the moment.
The attack occurred on 11th February and was detected after VFEmail’s website and webmail client went down all of a sudden.
Later, VFEmail posted a message on Twitter stating that its external-facing systems across multiple data centres had gone offline. After about two hours, the company revealed that its backup server had been formatted by an unknown attacker.
“At this time, the attacker has formatted all the disks on every server,” VFEmail’s Twitter account revealed. “nl101 is up, but no incoming email,” read another tweet shortly thereafter.
“Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy.”
The company noted that the intruder may have carried out the attack with some inside information.
VFEmail’s team is currently working to recover user emails, but it appears that all the data for US users has been deleted for good.
While VFEmail’s website is now back online, its secondary domains are still not working.
VFEmail owner Rick Romero posted an update to VFEmail’s website, stating that the company is making all efforts to recover what user data could be salvaged.
On Tuesday, Romero told KrebsOnSecurity that a backup drive hosted in The Netherlands has been recovered, but all mail for US users may have been lost for ever. He also revealed that the attacker likely operated from a server based in Bulgaria.
This is not the first time that VFEmail has been targeted by attackers. Earlier in 2015, the company was attacked by a group of hackers who demanded ransom payments to stop on-going distributed denial-of-service (DDoS) attacks.
In 2017, the company suffered another series of DDoS attacks, which forced it to change its hosting provider.