New research from security experts has revealed over 3 million mail servers are still using an aging protocol without encryption enabled, leaving millions of usernames and passwords vulnerable to hackers.
This week the Shadowserver Foundation, a nonprofit security organization, pushed out an alert on X and that it found 3.3 million POP3 and IMAP servers are operating without transport layer security (TLS) encryption enabled. To translate, POP3 (Post Office Protocol version 3) is an aging protocol used by email clients to access emails from a mail server, and it’s often used alongside the newer protocol IMAP (Internet Message Access Protocol). TLS encryption, meanwhile, is a protocol that encrypts the communication between web applications and servers, preventing hackers from intercepting potentially sensitive information while you’re chatting or checking your email.
Without TLS encryption enabled during transmission, both the contents of your messages and your log-in credentials like username and password are sent in plain text, leaving that information out there for any bad actor to come across using eavesdropping networks.
We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap).It’s time to retire those! pic.twitter.com/Iw9cZPxshgDecember 31, 2024
“We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted,” the ShadowServer Foundation said.
Almost 900,000 of these sites are based in the U.S., with another 560,000 and 380,000 in Germany and Poland respectively, the organization found, adding: “We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap). It’s time to retire those!” You can check out vulnerability reports for both POP3 email servers and IMAP email hosts on the Shadowserver Foundation site.
How to stay safe amid threat of email password exposure
Email service providers have been using TLS to encrypt messages for decades, and Microsoft began enabling the latest version, TLS 1.3, by default with Windows 11. Though the Shadowserver Foundation warned that “regardless of whether TLS is enabled or not, service exposure may enable password-guessing attacks against the server.”
The organization advised all email users to check with their email service provider to be sure that TLS is enabled and the latest version of the protocol is being used. Thankfully, the latest versions of Apple, Google, Microsoft and Mozilla email platforms all enable TLS, so users there can rest assured that their information is already safeguarded.
As for general online security tips, it’s always a good idea to make sure you’re using the best antivirus software to protect your PC, the best Mac antivirus software to protect your Mac and one of the best Android antivirus apps to protect your Android phone.
