New research by security experts has found that more than 3 million email servers are still using an aging protocol without encryption enabled, leaving millions of usernames and passwords vulnerable to hackers.
This week, the Shadowserver Foundation, a nonprofit security organization, issued an alert on X and discovered that 3.3 million POP3 and IMAP servers are operating without Transport Layer Security (TLS) encryption enabled. . To translate, POP3 (Post Office Protocol version 3) is an aging protocol used by email clients to access email from an email server, and it is often used alongside the newer IMAP (Internet Message Access Protocol). TLS encryption, on the other hand, is a protocol that encrypts communication between web applications and servers, preventing hackers from intercepting potentially sensitive information while you chat or check email.
Without TLS encryption enabled during transmission, the content of your messages and your login information such as username and password are sent in plain text, leaving this information accessible to any malicious actor using network networks. eavesdropping.
We have started reporting hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see about 3.3 million such cases with POP3 and a similar amount with IMAP (most overlap). It’s time to remove them! pic.twitter.com/Iw9cZPxshgDecember 31, 2024
“We have begun reporting hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted,” the ShadowServer Foundation said.
Nearly 900,000 of these sites are based in the United States, with 560,000 and 380,000 in Germany and Poland, respectively, the organization found, adding: “We are seeing approximately 3.3 million such cases with POP3 and a similar number with IMAP (most overlap). It’s time to remove them! » You can view vulnerability reports for POP3 mail servers and IMAP mail hosts on the Shadowserver Foundation site.
How to Stay Safe Against the Threat of Email Password Exposure
Email service providers have used TLS to encrypt messages for decades, and Microsoft began enabling the latest version, TLS 1.3, by default with Windows 11. Although the Shadowserver Foundation warned that “whether or not TLS is enabled , exposing the service may enable password guessing attacks against the server.
The organization advised all email users to check with their email service provider to ensure TLS is enabled and the latest version of the protocol is used. Fortunately, the latest versions of Apple, Google, Microsoft, and Mozilla email platforms all enable TLS, so users can rest assured that their information is already protected.
When it comes to general online security tips, it’s always a good idea to make sure you’re using the best antivirus software to protect your PC, the best Mac antivirus software to protect your Mac, and one of the best apps Android antivirus to protect your Android phone. .