U.S. Internet Corp.’s Securence unit inadvertently exposed over a decade’s worth of internal and client emails online, accessible to anyone with a web browser. KrebsOnSecurity was alerted by Hold Security, revealing that thousands of domains and individual inboxes, including those of state and local governments, were accessible, highlighting critical security oversights within the company’s infrastructure. Despite the breach being swiftly addressed, questions linger regarding the duration of exposure and the extent of potential repercussions for affected parties.
The breach, which surfaced when Hold Security discovered a public link to a U.S. Internet email server listing over 6,500 domain names, raised concerns over the compromised security of sensitive communications. Upon investigation, it was found that the exposed inboxes contained emails dating back to 2008, posing significant privacy and confidentiality risks for both U.S. Internet’s internal communications and its clients’ correspondence.
Among the affected entities were state and local government agencies, including the official websites of North Carolina and the cities of Stillwater, Minnesota, and Frederick, Maryland. Additionally, the breach extended to encompass every current and former employee of U.S. Internet and its subsidiary USI Wireless, underscoring the severity and scope of the incident.
While U.S. Internet swiftly pulled the exposed inboxes offline upon notification, questions remain regarding the root cause and duration of the exposure. The company’s CEO attributed the issue to an incorrect configuration in the Ansible playbook for IMAP servers, emphasizing ongoing efforts to audit and rectify backend services. However, concerns persist about the potential exploitation of the exposed emails by malicious actors and the company’s transparency regarding the incident.
