On Wednesday, 1/12/2022, an email provider named Mail2World disappeared from the internet. They’re a modest company based in California that provides email for millions of people worldwide. They handle the email service for many different ISPs (including Shentel, Buckeye Broadband, and SRT), as well as for individuals and small businesses. Information on this outage was challenging to come by, so I’m going to chronicle what I saw and learned during this event, below.
Day One (January 12)
Around 7AM EST, all email service with Mail2World stopped. For the entire day, no answers were forthcoming. People calling their ISPs got only vague explanations: “Email is completely down, we have no ETR.”
Those that contacted Mail2World directly received an unprofessional response. I had hoped they would issue a press release or a Pinned Post on Facebook. But, ironically commenting on an older Facebook Post about “improving your chances of getting your email read,” Mail2World shared only a few vague tidbits. It was nothing informative (“Please be advised that we’re fully and diligently working on the current email service outage.”) and only aggravated their clients further.
Day Two (January 13)
With email still down, Mail2World told some ISPs to expect a 3PM EST recovery time. But that deadline came and went, and everyone had to face the fact that nothing would be restored this day.
A sharp-eyed Facebook commenter pointed out a breaking news story (alternate link) about a ransomware attack and suggested it might be relevant. I called the ISP mentioned in the story and got confirmation: Mail2World is their email provider, and a ransomware attack had brought down all of Mail2World.
Day Three (January 14)
The outage continued, but repair progress could be detected. Using DNS detection websites, people could see that Mail2World DNS entries were coming back online, across the globe. M2W had been completely absent from the world’s DNS servers for the first two days of this outage!
Repeatedly contacting Mail2World, I could only get the briefest assurance from M2W that no one data was compromised or stolen. And as more news reports about the ransomware attack emerged, that seemed to confirm that user data was safe through this debacle. Other ISPs started to report more details, as well.
After much teeth-grinding, Mail2World posted an non-update on their Facebook Page. Huzzah! And their sales website came back online, more progress!
Day Four (January 15)
Early in the morning, Shentel reported email service may be restored in the next 24 hours. By some estimates, that would be extremely quick and efficient, but not unheard of.
By mid-day, a rare few M2W email accounts were able to send out messages, although they arrived with security warnings and other malformations. Still, it showed further progress!
As Day Four drew to close, a few users reported in about email arriving to their Mail2World accounts. We couldn’t declare a complete recovery yet, but some people were able to send off a few messages, and verify that their old emails were once again available.
Day Five (January 16)
I woke to reports of Shentel (Virginia) email users happy with their restored accounts. Reports from other states (Indiana, South Dakota, Ohio) were varied, but most showed some signs of functionality. Other countries (Sweden, Australia, Mexico) also reported in about recovery, again varied, with some at full email ability, while others still hampered or limited.
This outage was mentioned over at Slashdot, but still hadn’t garnered any national or large-scale news coverage.
For my part, I recommended to anyone with fully-restored ISP email, to call into to their internet providers for a refund or credit. Since Mail2World would surely pay a penalty to their ISP clients for the outage, I reasoned that that money should be passed along to the ISP customers themselves. And my experience with many ISPs is that: If you don’t ask, you don’t get!
Day Six (January 17)
Today I found that most people worldwide have their basic M2W email service back. But there are some outliers that are still waiting, in Sweden or Mexico. These folks tend to be individuals that have enrolled in free email service directly with Mail2World. I can only guess that they are low-priority, and may have a much longer repair time than the blocks of email addresses repaired for the large ISP customers.
If you’re still waiting for an M2W repair, I can only tell you to hang in there, keep waiting and reach out to Mail2World repeatedly as time goes on. You can call them at +1 (310) 209-0060, visit their website, check them on Facebook, or find their Twitter feed. Good luck!
Epilogue (March 9)
Most everyone I know has moved on from this issue. But I am still disappointed. There are many questions left unanswered: What ransomware or criminal group caused this? Was the attack successful because of employee error or a zero-day exploit? Was the ransom paid or not?
For my part, I’ve pinged M2W for 2 months, through FB/Twitter/email/LinkedIn, asking for more info. And today, I got a phone call from one of their agents. He explained that the matter has been investigated, mitigated, resolved and put to bed. All informative reports have been finished and submitted… to the ISPs and involved companies.
He didn’t have any press releases or documentation for me. Or for the masses of email users out there. All of the “post-mortem” reports have been sent to Shentel, Buckeye Broadband and similar companies. And those big ISPs might not share that info with us little people, because, well… lawyers.
But this kind gentleman who called me reiterated: The ransomware attack did not expose anyone’s email info. He briefly mentioned that a 3rd-party vendor made a mistake and left a port open somewhere, and bad actors capitalized on the vulnerability. Now that all the forensics and investigation is through, M2W has improved their security and procedures to prevent this from happening again.
Outage started shortly after 3am eastern. (Suggest using time zone)
Reports are that the source of the problem was ISV code that maik2world used. Unclear whether it’s related to recently discovered log4j flaw And whether this code was freeware or commercial
This is not yet over as we and the industry need to understand the flaw and ensure that it’s closed. Also need to understand how it was closed (bandaid vs fundamental fix) and whether mail2world has the resources to uncover all flaws I their code and licensed software and fix them And then we need to understand timelines
Apologies Ignore timezone reference
Getting to the root causes is even more criticality important to business or personal success than the few dollars available for compensation
I would love to get to the root of things, too. I’m itching to know what the ransomware was and how it got in, and I also want to know if they paid the ransom or not. Paying the ransomware maker directly funds the next generation of ransomware, which will be harder to guard against and defeat. I think it’s important to know if M2W chose to be part of the problem or if they held fast against this type of crime.
Stay tuned. M2W promise full disclosure
That would be great… if true. Did they email you this promise, or are you seeing it online somewhere?
I know that reports were “Repeatedly contacting Mail2World, I could only get the briefest assurance from M2W that no one data was compromised or stolen. And as more news reports about the ransomware attack emerged, that seemed to confirm that user data was safe through this debacle. Other ISPs started to report more details, as well.””
But I’ve seen no data that supports or denies that. And without details it’s hard to know. (Eg were all customer Data and emails properly and fully encrypted?)
I agree, we can’t prove what M2W is telling us. We can either choose to believe them or withhold belief until other information comes to light.
I want to believe. But I also know that their security offerings have always been modest and disappointing (no 2FA). I am torn. I wish I had more to assure people with, because that’s what people need most after this debacle.
Not knowing or being able to trust M2W will drive many to flee their service to another more trusted platform (Gmail!).
Thought I saw M2W on a FB post owning up to provide an analysis of cause. I will look later
Please be aware that this problem is still NOT fixed. I continue to experience delays
Gotcha, and I hear from a few far out folks that they still have no email. M2W must have the bare bones back in operation but could have weeks more of behind-the-scenes work before things are back to normal.