U.S. Internet Leaked Years of Internal, Customer Emails

A Minnesota-based Internet Service Provider U.S. Internet Corp has suffered a significant data leak. Specifically, a business unit called Securence, which specializes in providing filtered, secure email services to business, educational institutions and government agencies worldwide was accidently publishing more than a decade’s worth of it’s own internal emails, and that of thousands of clients, in plain text on the Internet where anyone could view it.

KrebsOnSecurity was contacted by Hold Security, a Milwaukee-based cybersecurity firm. Hold Security founder Alex Holden said his researchers had unearthed a public link to a U.S. Internet email server listing more than 6,500 domain names, each with its own clickable link. The domain links revealed inboxes for each employee or user, and contained recent emails and some going back as far as 2008.

Securence counts among its customers dozens of state and local governments, including: nc[.]gov — the official website of North Carolina; stillwatermn[.]gov, the website for the city of Stillwater, Minn.; and cityoffrederickmd[.]gov, the website for the government of Frederick, Md.

“Incredibly, included in this giant index of U.S. Internet customer emails were the internal messages for every current and former employee of U.S. Internet and its subsidiary USI Wireless. Since that index also included the messages of U.S. Internet’s CEO Travis Carter, KrebsOnSecurity forwarded one of Mr. Carter’s own recent emails to him, along with a request to understand how exactly the company managed to screw things up so spectacularly” (Krebs, 2024). Krebs says within minutes of that notification, U.S. Internet pulled all of the published inboxes offline.

Analyst Comments:
U.S. Internet provided an explanation to KrebsOnSecurity stating that “an issue with the Ansible playbook that controls the Nginx configuration for [their] IMAP servers” was to blame for the exposed data. The company says “this incorrect configuration was put in place by a former employee and never caught. U.S. Internet has not shared how long these messages were exposed.” According to the company, the rest of their platform and backend services are currently being audited to verify the Ansible playbooks are correct.

Suggested Corrections:
It is still unclear for how long these accounts were exposed on the Internet, and who may have been able to access the sensitive data during that time frame. An official statement has yet to be released by U.S. Internet Corp.

“KrebsOnSecurity has been writing about data breaches for nearly two decades, but this one easily takes the cake in terms of the level of incompetence needed to make such a huge mistake unnoticed. I’m not sure what the proper response from authorities or regulators should be to this incident, but it’s clear that U.S. Internet should not be allowed to manage anyone’s email unless and until it can demonstrate more transparency, and prove that it has radically revamped its security” (Krebs, 2024).