Millions of email services still sending passwords unencrypted in plain text


Around 3.3 million servers are running POP3/IMAP email services without encryption (TLS) enabled, the Shadowserver Foundation, a nonprofit security organization, has discovered. Most of these servers reside in the US, Germany, and Poland.

POP3 (Post Office Protocol version 3) is an aging protocol used by email clients to retrieve emails from a mail server. It is often used alongside the newer protocol IMAP (Internet Message Access Protocol).

The Shadowserver Foundation tracks 3.3 million POP3/IMAP servers along the globe that do not have TLS encryption.

ADVERTISEMENT

“It's time to retire those services!” the organization warns.

“We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap).”

Almost 900,000 of these servers are from the US, while Germany follows in second place with 523,000 servers. Poland and Japan are next on the list, with 381,800 and 301,800 unprotected servers, respectively.

Users of such email services should be aware that anyone with basic network monitoring tools can intercept their communications and steal their credentials.

vilius Ernestas Naprys Marcus Walsh profile jurgita
Don’t miss our latest stories on Google News

“Note that regardless of whether TLS is enabled or not, service exposure may enable password-guessing attacks against the server,” the Shadowserver Foundation said.

ADVERTISEMENT