US Military Emails Leaked Massively Due to the Typo

US Military Emails Compromised Due to the Typos in Receiver Address
Millions of US military emails, some with confidential information, were sent to wrong addresses

Email letters sent to the US military addresses ended up on similarly-named Mali emails because of the domain name typo. All this started as a mistake, but may transform into a typosquatting attempt for government-grade spying.

Typos In Email Addresses Cause US Military Info Leak

Well, the fact is here – the US military has a huge data leak through the incorrect email routing. But how could that happen in a system like that? Well, Uncle Sam adopted the .MIL domain at the dawn of the Internet era. Actually, the Internet itself was built for the army’s needs. But with Internet expansion, the country of Mali received a top-level domain of .ML – just one letter off the military one. You may think that it is too hard to make such a mistake, but statistics stands for another. There could potentially be millions of letters that arrived to a wrong address, and confidential or even classified stuff may be among them.

The situation actually started long ago – but was never discussed publicly. Since 2013 a Dutch entrepreneur Johannes Zuurbier noticed the flow of messages going to non-existent and domains back in 2013. And even back then, before the massive introduction of electronic paperwork, he counted over 115,000 letters in just about 6 months. The letters were mostly regular spam, though some contained sensitive information. By now, the number of such messages is over 10 million.

But how can a Dutchman view all the emails that are coming to the country’s TLD? Mr. Zuurbier is a managing director of Mali Dili B.V. The company has a contract with the Malian government for establishing and managing the Internet connections over the country. Well, while he cannot access the mailboxes and stuff, the messages that are sent to the domain zone but failed to reach the receiver remain visible.

What kind of data is exposed?

As I said, these messages are not consistently filled with content. Some are simple spam, some just do not contain any interesting things, at least without the context of the mailing. However, there were a few examples of really compromising messages. Fortunately, no classified information was found among the messages.

One example of compromising messages is the results of X-ray tomography of a soldier and his medical data. Others contained lists of staff that reside on bases, their photos, reports upon the inspections, investigations of internal accidents, and more. Some messages were disclosing the dates and staying places of top officers that were visiting other countries.

Why the US military information leak so dangerous?

Since this information is related to the US Army, the consequences for ones who gained illegal access to it could be pretty bad – regardless whether it was intended or not. Mr. Zuurbier approached the US officials several times, trying to make them react to the problem – but that did not have any effect. The problem is, as his contract with Mali ends this year, the control over the domain zone will be given to the Malian government. The latter is known for their extensive cooperation with Russia, which is not in the best relations with the US at the moment, to say the least.

Moreover, is it even pleasant to have the internal letters leaked to the third party? It is critical even for corporations, and is just unbearable for organisations like the army. Now all these things have a form of mistakes and never get to any possible adversaries. But once the contract with Mali Dili is over, it may get a very bad twist. Typosquatting is quite easy to set up and exploit, especially when the govt is interested in gathering information in such a way.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *