The Israeli Ako webmail service, which means “useful,” allows users to send and receive email using the HTTP protocol. Although Ako was hacked in 2009, it was unclear what information was exposed until recently.
On June 18th, security researchers from Trustwave disclosed their findings, revealing the scope of the attack.
Must Read: Ako Webmail Login
The attack on Ako was carried out by exploiting a SQL Injection vulnerability on the login page. We don’t know how many accounts were compromised due to the breach, but Trustwave’s SpiderLabs team claims that over 150GB of data was recovered from the service.
An excerpt from their report is as follows: Customers’ usernames, encrypted passwords, and email content were among the 150GB of data stolen by the attackers. The bad news is that Ako’s encryption technique was insecure, allowing all passwords to be decoded rapidly.
Trustwave’s SpiderLabs team discovered several intriguing facts about the compromised user base during their investigation of the assault. More than half of the users had passwords that were less than eight characters long, and 12% of them had no password at all.
One could argue that Ako Webmail was not designed with security in mind; however, it’s difficult to blame them because they’re far from the only web-based email service that keeps passwords in cleartext. Even yet, any firm working with sensitive data should not engage in such security practices.
As if that wasn’t bad enough, it was also revealed that several of the compromised servers were hosting Web sites for Israeli banks and financial institutions. The SpiderLabs team at Trustwave discovered evidence that some stolen data were used in illicit activities, including fraud.