The word is spreading on the Internet that respected secure email provider ProtonMail has been hacked by an anonymous group. A pastebin post by “AmFearLiathMor” titled “Protonmail Hacked” makes the claim that the company intentionally undermined its own security features, allowing the hacker group to infiltrate the front-end code and steal the passwords and data, also installing a backdoor on the company’s servers for a time. They also make some wild claims about ProtonMail’s own activities and those of their users.
But the would-be hacker provides no proof that this hack is real, and ProtonMail is vigorously denying that it happened. Other investigators are skeptical of the claims as well. The over-the-top claims and blatant attempt at extortion certainly undermines the credibility of the paste in our eyes. Although it is possible that ProtonMail was hacked as claimed, we believe that this is probably not the case.
Why Do We Care About ProtonMail?
Why would it matter if ProtonMail was indeed hacked? The service has emerged as a trusted provider of secure email and VPN services for many of the most respected names on the Internet. ProtonMail has even surfaced in the media, claimed to be the communication service of choice for players being investigated by Robert Mueller and many other news stories. Heck, Mr. Robot even uses ProtonMail!
I personally use ProtonMail as my “backstop” email account, verifying other services to it, and I advocate using ProtonMail on my blog. Many of my friends also use it, with some switching entirely to the service to protect their online lives from Google’s intrusive “personalization” features. I’m also a ProtonVPN user and was thrilled to see that the ProtonVPN app went live for iOS this week.
So the stakes are serious if ProtonMail was indeed hacked. It would expose the private email of millions of people, many of whom are extremely sensitive about their privacy. And like any email service it would allow the accounts of many others to be exploited.
Then there are the claims made about ProtonMail in this paste: That the company is secretly cracking users’ emails and passwords, transmitting data to unnamed entities in the United States, and that ProtonMail is secretly owned by an American corporation. All of these would undermine the faith placed in the service as a provider outside the reach of American authorities.
Do the Hacking Claims Hold Up?
The paste claims that ProtonMail intentionally compromised their own email service and left it exposed by not using Subresource Integrity (SRI) checking. This would function somewhat like a cross-site scripting attack, substituting a malicious front-end component to collect passwords and (presumably) second-factor codes. This is all moderately plausible, though it could also be entirely made up.
The paste then drops buzzwords like a TV show: “We began with months of dedicated penetration testing, we asked assistance from other organizations and deployed unreleased 0-days” could be a line from the fourth season of Mr. Robot! But again, it is plausible that a front-end hack could expose user passwords, including those of ProtonMail employees, and enable the company’s servers to be compromised. From there, a wholesale substitution of authentication code could perhaps compromise the passwords of a large number of users.
Although the compromise is plausible, some of the claims about the company are not. If ProtonMail truly sent “decrypted user data to American servers” this would stand in opposition to everything the company stands for. Although Switzerland does have a Mutual Legal Assistance Treaty (MLAT) with the United States, it definitely does not require ProtonMail to “reveal all their data to the Americans” as claimed by the paste.
Then there’s the extortion attempt. The paste gives ProtonMail a week to pay “a small fee” or they threaten to release data uncovered during their alleged hack. This is reminiscent of the sextortion and password email scams going around right now but on a much grander scale. Just like those scams, the data claimed to be exposed quickly ranges from “decrypted emails” to “circumventing the Geneva convention, underwater drone activities in the Pacific Ocean, and possible international treaty violations in Antarctica!” It also claims “rampant pedophilia among executives and the affluent”, a frequent boogeyman of fringe types and Internet trolls. Then they claim that the bulk of the data will be “sold in bulk to the highest bidder on the darknet,” another Hollywood-worthy claim.
The ProtonMail Hack is Likely a Hoax
None of this rings true. Although the attack vector is moderately plausible, the rest of the paste’s claims veer off the rails. There’s too much “Hollywood” and not enough reality to their choice of words, and the alleged hacked content isn’t credible. The fact that there is no sample data revealed suggests that this is all a hoax or a weird trolling attempt.
I’m still using ProtonMail. But I did change my password, just in case!
Update, November 19
A second paste has appeared as a response to skepticism of this hack claim. The purported hackers again claim that the exploit is real and that they have communicated secret information to ProtonMail so they can verify the hack. But they offer no more details to people like us who are observing all this from the outside!
Again, this paste make specific claims about pedophilia, drones, and underwater secrets supposedly contained in ProtonMail user mailboxes. And again, these all seem salacious but not necessarily convincing. They also claim again that ProtonMail is owned by an American company and suggest that it is a CIA front, which would be concerning if there was any proof of these links.
Finally, this new paste says the hackers left “clues” in support tickets that would allow their identities to be uncovered. This is simply astounding, and undermines the whole claim of legitimacy. There is no way a group of hackers focused on extortion would leave clues of their “real last names” as some sort of game for the victim!