This post is also available in:
עברית (Hebrew)
A new security report from the Shadowserver Foundation has highlighted a major vulnerability in global email infrastructure, revealing that roughly 3.3 million email servers running POP3 and IMAP protocols lack encryption. This puts user data, including sensitive credentials, at significant risk.
POP3 (Post Office Protocol version 3) and IMAP (Internet Message Access Protocol) are widely used to retrieve emails from servers. However, without proper security measures like TLS (Transport Layer Security) encryption, the communication between email clients and servers is unprotected. TLS encrypts data in transit, ensuring that usernames, passwords, and other private information remain secure. The absence of TLS means that hackers, armed with basic network monitoring tools, can intercept email traffic and steal login credentials.
The Shadowserver Foundation, a nonprofit organization dedicated to tracking cybersecurity risks, discovered that nearly 3.3 million POP3 and IMAP servers worldwide are running without TLS encryption. Most of these vulnerable servers are based in the United States, Germany, and Poland. Specifically, around 900,000 servers are located in the U.S., followed by 523,000 in Germany and 381,800 in Poland. Other countries, including Japan, also have a significant number of exposed servers.
The issue arises from the fact that many of these email servers rely on outdated software or improperly configured services that fail to enable TLS encryption. This leaves the systems open to password-guessing attacks and exposes users to potential data breaches. The Shadowserver Foundation has urged system administrators to retire legacy systems that do not meet modern security standards, as well as to ensure that TLS is enabled to safeguard user data.
For users, the implications are clear: using email services without encryption can lead to serious security risks, as sensitive communications are left vulnerable to interception. The Shadowserver Foundation is notifying administrators of exposed services, urging them to take immediate action.
In conclusion, email service providers must prioritize the activation of TLS encryption, while users should consider switching to more secure services that provide robust protections. With cyber threats growing increasingly sophisticated, securing email communications with encryption is no longer optional but a critical necessity.
