13 Feb VFEmail’s Founder Rick Romero Explains How His Secure Email Service Got Demolished
Did someone have something to hide?
– Steve Morgan, Editor-in-Chief
Northport, N.Y. — Feb. 13, 2019
VFEmail, a secure email service started in 2001, has been destroyed. An attacker wiped out the company’s U.S. servers on Monday evening, including backups, destroying almost two decades worth of user data in just a few hours, according to a story in Threatpost.
Cyberattacks and data breaches have become so common that it’s hard to keep up with them. In case you haven’t heard what happened to VFEmail — or if you’d like to hear it from the horse’s mouth — Cybercrime Magazine caught up with their founder, Rick Romero, for this Q&A. “I’ll help as best I can,” said Romero, presumably shocked over his catastrophic loss.
The following is a first-hand accounting from Romero, unedited, in response to our request for the 5 W’s around the VFEmail hack.
- Who. No idea. Whoever did it, there was a remnant of connection from a hosting provider in Belgium (IIRC). But that’s likely just a launchpad. Like hopping on your neighbor’s Wi-Fi.
- What. They gained root access to every system — How, I am unsure. The only combined authentication is for email; all other hosts were local logins only, and those hosts did not all share the same user/password. Therefore, remote exploits had to be used in at least 2 cases, probably 3 — but local privilege escalation would be likely from there.
- Where. VFEmail is based in Waukesha, Wis. VFEmail-owned equipment (about 12 servers) is located at New Continuum Data Centers in Illinois. They’ve been great. They’ve done an awesome job managing the DDOS attacks we get on at least a yearly basis. There are also a couple VM hosts in the Netherlands for users who didn’t want their mailboxes stored in the U.S. Those users did not lose much, if any, data as the datasets were so small the provider’s backup system could handle it.
- When. About 5 a.m. on Monday, Feb. 11, 2019. (Romero didn’t mention what time zone, but he is based in the greater Milwaukee area, which is CST)
- Why. There was no financial gain to be had. No ransom was asked. VFEmail does tout privacy and security, so there are users ranging the black hat illegal activity type, to politically outspoken citizens. The basic email service was free, with no validation requirement, so anyone could have done anything (via email). The destruction was so thorough, it makes me think someone had something to hide.
We followed up with Romero, asking where VFEmail users should look for email service. “My users should probably look to Fastmail, ProtonMail or Hushmail. All our features differ. It just depends on what the user values.”
And what about Gmail, we asked. “It’s possible the same could happen to Gmail (or anyone else) but I would expect with the amount of money Google is making that they have replicas upon replicas with greater separation between the pieces,” said Romero. “Whether you’re talking about protecting data, or hacking it, the result you desire really comes down to how much time and money you have.”
Finally, we wanted to know if VFEmail users actually lost all of their emails (as some media have reported): “Most of VFEmail’s users, about 90 percent, used their own IMAP/POP client,” said Romero. “What that does is sync your local mailbox with the server. If the server disappears, you will still have all your email. Using an IMAP client and 2 accounts, you can then drag and drop email between those INBOXs, creating your own backup. That’s the simplest way; there are imapsync and mailbox sync services that would do this as well (VFEmail also offered IMAPsync).”
According to Romero’s LinkedIn bio, he’s been employed for the past two years as a senior security engineer at Foley & Lardner, LLP, an international law firm with over 1,100 lawyers in 24 offices across the United States, Mexico, Europe, and Asia. Prior to that, he’s held IT and security positions with various employers while overseeing his company, VF IT Services, LLC. So, it appears that the VFEmail hack has not put Romero out of work.
Romero’s website proclaims, “While other services have shut down, or been exposed as not delivering on their promises, VFEmail keeps chugging along.” (It’s possible that may be edited or deleted by the time you read this). Unfortunately for VFEmail loyalists, that’s no longer the case.
Many users ditched their Yahoo Mail accounts and switched to Gmail (after the epic Yahoo hack). VFEmail users might want to think about doing the same. Signing on to another small secure email provider may be a daunting thought. If time and money are in fact crucial to protecting data as Romero says, then Gmail is the safe bet.
Romero’s email service wasn’t a profitable business venture for him. “VFEmail was never a source of income for me; every extra penny went back into it,” said Romero.
As far as the number and type of users affected — “There were about 10,000 daily users. Many of which run their small businesses through email,” according to Romero. “Fortunately, 90 percent of them (VFEmail users) used their own email client, using POP or IMAP to keep a local copy of their email. In addition, new incoming mail became available about 12 hours after the incident. So hopefully those who rely on it most weren’t too impacted. They can create a new account in their email client for new mail and refer to the old one for history. Basically the lesson is, don’t put all your eggs in one basket.”
On a more emotional note, Romero offered, “Personally, it’s a major disappointment (the VFEmail hack). I accepted a long time ago that I’m not the business builder, but the infrastructure builder. It was nice to refer to an infrastructure that was servicing more people daily than most places I was employed, but that’s about it.” And that is, about it, for VFEmail.
Feb. 20, 2019 – Apparently VFEmail has been resuscitated. For the latest on VFEmail, check their Twitter account at https://twitter.com/VFEmail.
VFEmail will not be shutting down. We're not back to 100% capacity, and we're still hoping user data between 8/2016 and 2/2019 can be recovered.
The US data center has been vacated, and we will run entirely from the NL datacenter.
— VFEmail.net (@VFEmail) February 21, 2019
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.