Return to Level1Techs.com

Protonmail hacked; servers intentionally misconfigured -- Or not?

security
hacking

#21

So… have they released the stuff ?


#22

I haven’t seen anything.

But the paste says that Protonmail intentionally misconfigured SRI, which is only relevant when using a third-party CDN. Protonmail does not use a third-party CDN when serving their application.

I really doubt that they actually hacked Protonmail.


#23

Oh of course not. The dead line has been and gone. This was an attempt to damage brand more than anything else. Probably someone who was using ProtonMail for illegitimate purposes and got banned.


#24

I take it back… kind of

so the child has “released” the emails. those emails being summaries in his own words of what he says some “top secret” emails contain. Then says you can pay for the original encrypted emails.


#25

This post contains top secret classified information obtained from Protonmail’s server.

i love it. not just top secret, but ALSO classified. thats just to much top secret for me.


#26

They’ve released all of the data they have. Zilch.


#27

I just got an email from protonmail.

Our biggest sale ever has started. For a limited time only, get 50% off ProtonMail Plus with a two-year subscription. This is the biggest discount we have ever offered, which means you can get ProtonMail Plus for just $2/month.

To access the promotion, (1) login at mail.protonmail.com and (2) click on the Black Friday/Cyber Monday sale button in the upper right menu bar.

Additional two-year plans are available for a limited time only at Settings -> Dashboard. If you do not see the sale button, please refresh your browser.

#28

I had a look at their summaries, what striked me straight away was that if it is true, then proton mail and their extorting money from them is the least of their worries. If they have the information they claim then they should be able to reasonably assume that they are not long for the world when it gets out.

If it is true, the people it relates to have the power to make this “hacker” dissapear. So for that alone, leaving out all of the other madness stated allready, this comes across as super fake.


#29

Tech journalism is pretty poor, so this seems like clickbaity word salad to try and get attention.

However, if true, it is more likely they social engineered their way in. Or someone was naughty and reused a password. That sort of stuff.

But I still can’t see any emails in the super hacker anon paste bins!


#30

This had me scared shitless. Not that my emails are so important but I do not want to see my favourite company be compromised and publicly destroyed.

I hope this is not true as well. At least wikipedia says otherwise.

However it also might be possible they are sending this decrypted user data to the American firm that owns them. This was simply a surprising thing to note but did not significantly influence our operation.


#31

There was some key give aways that this was a poorly executed scam.

The first sign was this

We are offering it back to Protonmail for a small fee, if they decline then we will publish or sell user data to the world.

(turned out their small fee was millions it appears.)

then this

SRI

They dont understand what this technology applies to it seems.

There multi paragraph rant after that is all based off of their SRI premis.

The big one was them talking about how they are an upstanding organisation while attempting to extort and blackmail protonmail and its customers. Then topped it off talking about how great they are and how protommail treats them badly.

Those things pointed this to being more someone who was ticked off at protonmail (probably because they did something illegal using protonmails email and got banned) and was trying to damage their name. It sounded like a child wrote it basically.

The info today just confirmed that.

The fact is if they were the upstanding organisation they say, they would have gone through the right channels. and their pastebin wouldn’t have sounded like the angry rant of a teenager who lost their toy.

Ligitimate issues like this usually have the whole “proof of life” going for them.


#32

It adds nicely to the whole US conspiracy and gets people stirred up and worried. always good to add the US conspiracy int he mix.

fyi, they do adhere to legal international requests or court orders. They’re very clear about that.


#33

Hoping for a defamation charge if they know who… if its someone who had it in for protonmail, then I’m sure they might have some leads.


#34

Which means they can dectryp your mailbox if they want to? I remember reading somewhere that if you forget your password they won’t be able to recover it for you because of the way their system is designed.


#35

Nah, they probably just send them the encrypted data.

This is what we have. Sorry if it’s of no use to you.


#36

How is that gonna help the authorities? That’s practically the same as giving them nothing. On the second thought they probably record some metadata. Date/Time, recipient, size, location etc…


#37

It’s keeping them protected from being axed.

this is everything we have, we are cooperating with you, it’s not my fault it’s of no use to you

I’m sure they record some metadata.


#38

No. Its encrypted and you hold the password to the key.

There is the user flaw of using a weak password, as in theory they keys could be cracked, though it would take a while unless your password is ‘password123’.

The reality though, no one is trying to crack everyone keys it would take to long and wouldn’t work. If your a legitimate criminal doing pretty bad things, protonmail isnt for you anyway, that’s not its purpose. and the government doesn’t actually care about most people anyway.

since they only have your encrypted key, if you forget your password, they can reset the keys if they can verify you are you, but all emails before the reset are lost since they are encrypted with a key no one knows the password to.


#39

given the level of the threat, authorities could try and break the key. Alternatively, since terrorists and criminals tend not to work alone, they may not be going after a primary target, and could in theory pick up a secondary target to have them give over the password to their account.

they could also instead insert RATs or other surveillance tools within a targets devices or housing, car, etc. or surveil them in person to obtain additional intelligence.

There’s lot of things you can do.

protonmail wont though hand over any data unless its been approved by a swiss court.


#40

This is the real benefit here. Just like using TOR doesn’t protect you if you don’t practice proper obscurity practices, using Protonmail won’t protect you if you mail to an unsecured address of if you leave too much metadata.

That said… it’s getting much easier to get your hands on commodity hardware that can brute force these encryption protocols. I wouldn’t be surprised if a moderately strong password could be broken in two weeks with 10k worth of hardware.