“Catastrophic” hack on email provider destroys almost two decades of data

VFEmail says data for virtually all US users is gone for good.

Enlarge / Toshiba MK1403MAV - broken glass platter (credit: Raimond Spekking)

Email provider VFEmail said it has suffered a catastrophic destruction of all of its servers by an unknown assailant who wiped out almost two decades' worth of data and backups in a matter of hours.

“Yes, @VFEmail is effectively gone,” VFEmail founder Rick Romero wrote on Twitter Tuesday morning after watching someone methodically reformat hard drives of the service he started in 2001. “It will likely not return. I never thought anyone would care about my labor of love so much that they'd want to completely and thoroughly destroy it.”

The ordeal started on Monday when he noticed all the servers for his service were down. A few hours later, VFEmail’s Twitter account reported the attacker “just formatted everything.” The account went on to report that VFEmail “caught the perp in the middle of formatting the backup server.”

Read 9 remaining paragraphs | Comments

Gmail for iOS gets Material Design overhaul with new features

Part of a larger effort to make G Suite look and act like a family of products, this refresh brings some of the features we’ve seen in Gmail’s web interface over the past year or so.

Part of a larger effort to make G Suite look and act like a family of products, this refresh brings some of the features we've seen in Gmail's web interface over the past year or so.

Gmail on mobile gets a fresh coat of Material Design paint

Gmail on mobile will soon get a new look. Google today announced that its mobile email apps for iOS and Android are getting a redesign that is in line with the company’s recent Material Design updates to Gmail, Drive, Calendar and Docs and Site. Indeed, the new UI will look familiar to anybody who has […]

Gmail on mobile will soon get a new look. Google today announced that its mobile email apps for iOS and Android are getting a redesign that is in line with the company’s recent Material Design updates to Gmail, Drive, Calendar and Docs and Site. Indeed, the new UI will look familiar to anybody who has ever used the Gmail web app, including that versions ability to select three different density styles. You’ll also see some new fonts and other visual tweaks. In terms of functionality, the mobile app is also getting a few new features that put it on par with the web version.

Like on the desktop, you can now choose between the default view, as well as a comfortable and compact style.  The default view features a generous amount of white space and the same attachment chips underneath the email preview as the web version. The comfortable view does away with those chips and the compact view removes a lot of the space between messages to show you more emails at a glance.

I’ve been testing the new app for a bit and quickly settled on the comfortable view since I never found the attachment chips all that useful in day-to-day use.

In line with Google’s Material Design guidelines, all the styles feature relatively subtle but welcome animations that don’t take a lot of time but give you a couple of extra visual cues about what’s going on as you work your way to Inbox Zero.

Google also notes that the new design makes it a bit easier to switch between accounts. I’m not sure I agree (I definitely find the implementation of this in Inbox, which is sadly going away soon, easier to use), but if you regularly use this feature, it’s still easy enough to use. The switcher is now part of the search bar, though, which is a bit confusing and took me a moment to find.

One nice addition to the mobile app is that the large red phishing and scam warning box from the web version now also appears in the mobile app.

How to set up iCloud email forwarding to another address

If you use multiple email accounts, having messages all land in the same inbox is handy. Here’s how to set up iCloud email forwarding to another address.

iCloud Email Forwarding To New Address

If you use multiple email accounts, having messages all land in the same inbox is handy. Here’s how to set up iCloud email forwarding to another address.

Massive mortgage and loan data leak gets worse as original documents also exposed

Remember that massive data leak of mortgage and loan data we reported on Wednesday? In case you missed it, millions of documents were found leaking after an exposed Elasticsearch server was found without a password. The data contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over […]

Remember that massive data leak of mortgage and loan data we reported on Wednesday?

In case you missed it, millions of documents were found leaking after an exposed Elasticsearch server was found without a password. The data contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren’t easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server.

Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.

It turns out that data was exposed again — but this time, it was the original documents.

Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server and see — and download — the files stored inside.

In a note to TechCrunch, Diachenko said he was “very surprised” to find the server in the first place, let alone open and accessible. Because Amazon storage servers are private by default and aren’t accessible to the web, someone would have made a conscious decision to set its permissions to public.

The bucket contained 21 files containing 23,000 pages of PDF documents stitched together — or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday’s report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules, and other sensitive financial information.

Two of the files — redacted — found on the exposed storage server. (Image: TechCrunch)

Many of the files also contained names, addresses, phone numbers, and Social Security numbers, and more.

When we tried to reach OpticsML on Wednesday, its website had been pulled offline and the listed phone number was disconnected. After scouring through old cached version of the site, we found an email address.

TechCrunch emailed chief executive Sean Lanning, and the bucket was secured within the hour.

Lanning acknowledged our email but did not comment. Instead, OpticsML chief technology officer John Brozena confirmed the breach in a separate email, but declined to answer several questions about the exposed data — including how long the bucket was open and why it was set to public.

“We are working with the appropriate authorities and a forensic team to analyze the full extent of the situation regarding the exposed Elasticsearch server,” said Brozena. “As part of this investigation we learned that 21 documents used for testing were made identifiable by the previously discussed Elasticsearch leak. These documents were taken offline promptly.”

He added that OpticsML is “working to notify all affected parties” when asked about informing customers and state regulators, as per state data breach notification laws.

But Diachenko said there was no telling how many times the bucket might have been accessed before it was discovered.

“I would assume that after such publicity like these guys had, first thing you would do is to check if your cloud storage is down or, at least, password-protected,” he said.

How to mark all your emails as Read on iPhone, iPad and Mac

Clear the unread messages in your Mail inboxes easily. Here’s how to quickly mark all emails as Read on iPhone, iPad, and Mac.

Clear the unread messages in your Mail inboxes easily. Here’s how to quickly mark all emails as Read on iPhone, iPad, and Mac.

Campaign Monitor acquires email enterprise services Sailthru and Liveclicker

CM Group, the organization behind email-centric services like Campaign Monitor and Emma, today announced that it has acquired marketing automation firm Sailthru and the email personalization service Liveclicker. The group did not disclose the acquisition price but noted that the acquisition would bring in about $60 million in additional revenue and 540 new customers, including […]

CM Group, the organization behind email-centric services like Campaign Monitor and Emma, today announced that it has acquired marketing automation firm Sailthru and the email personalization service Liveclicker. The group did not disclose the acquisition price but noted that the acquisition would bring in about $60 million in additional revenue and 540 new customers, including Bloomberg and Samsung. Both of these acquisitions quietly closed in 2018.

Compared to Sailthru, which had raised a total of about $250 million in venture funding before the acquisition, Liveclicker is a relatively small company that was bootstrapped and never raised any outside funding. Still, Liveclicker managed to attract customers like AT&T, Quicken Loans and TJX Companies by offering them the ability to personalize their email messages and tailor them to their customers.

Sailthru’s product portfolio is also quite a bit broader and includes similar email marketing tools, but also services to personalize mobile and web experiences, as well as tools to predict churn and make other retail-focused predictions.

“Sailthru and Liveclicker are extraordinary technologies capable of solving important marketing problems, and we will be making additional investments in the businesses to further accelerate their growth,” writes Wellford Dillard, CEO of CM Group. “Bringing these brands together makes it possible for us to provide marketers with the ideal solution for their needs as they navigate the complex and rapidly changing environments in which they operate.”

With this acquisition, the CM Group now has 500 employees and 300,000 customers.

What3Words breaks the world down into phrases

If you’re down in ///joins.slides.predict you may want to visit ///history.writing.closets or, if you’ve got a little money to spend, try the Bananas Foster at ///cattle.excuse.luggage. Either way, don’t forget to stop by ///plotting.nest.reshape before you fly out. If things go what3words way, that’s how you’ll be sending out addresses in the future. Founded by […]

If you’re down in ///joins.slides.predict you may want to visit ///history.writing.closets or, if you’ve got a little money to spend, try the Bananas Foster at ///cattle.excuse.luggage. Either way, don’t forget to stop by ///plotting.nest.reshape before you fly out.

If things go what3words way, that’s how you’ll be sending out addresses in the future. Founded by musician Chris Sheldrick and Cambridge mathematician Mohan Ganesalingam, the company has cut the world into three meter boxes that are identified by three words. Totonno’s Pizza in Brooklyn is at ///cats.lots.dame while the White House is at ///kicks.mirror.tops. Because there are only three words, you can easily find spots that have no addresses and without using cumbersome latitude and longitude coordinates.

The team created this system after finding that travelers found it almost impossible to find some out-of-the-way places. Tokyo, for example, is notoriously difficult to traverse via address while other situations – renting a Yurt in Alaska, for example – require constantly updated addresses that do not lend themselves to GPS coordinates. Instead, you can tell your driver to take you to ///else.impulse.broom and be done with it.

The team has raised £40 million and is currently working on systems to add their mapping API to industrial and travel partners. You can browse the map here.

“I organized live music events around the world. Often in rural places. HeIfound equipment, musicians and guests got lost. We tried to give coordinates but they were impossible to remember and communicate accurately,” said Sheldrick. “This is the only address solution designed for voice, and the only system using words and not alphanumeric codes.”

Obviously this will take some getting used to. The three words might get mispronounced, leading to some fun problems, but in general it might be good to way to get around the world in a post-modern way. After all, some of the spot names sound like poetry and if you don’t like it you can always just go to ///drills.dandelions.bounds.