Typos in the address box may cause millions of US Military emails to be leaked

[WolframaticAlpha]

Summary

Members of the US military often mistype the .mil domain to .ml in their email address boxes. As a result, millions of these emails have gone to websites based in mali(.ml). Jonathan Zuurbier, a dutch internet entrepreneur identified the issue years ago and notified the military. However, the military responded only in January of this year. As the control of these domains reverts from Zuurbier to Mali( a noted russian ally), millions of millions of military emails might be exposed to the world.

 

Quotes

Quote

Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses.

Quote

Much of the email flow is spam, and none is marked as classified. But some messages contain highly sensitive data on serving US military personnel, contractors, and their families.

Their contents include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.

Quote

“The Department of Defense (DoD) is aware of this issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously,” Tim Gorman, a spokesperson for the Office of the Secretary of Defense

Quote

Control of the .ML domain will revert on Monday from Zuurbier to Mali’s government, which is closely allied with Russia. When Zuurbier’s 10-year management contract expires, Malian authorities will be able to gather the misdirected emails.

My thoughts

This is just hilarious to me, and it is an example of how tech illiteracy and typos can put people at risk.

 

Also inb4 the next watergate is caused because politicians set up a spoofed whitehouse.gv to capture emails /s

Spoiler

also, if a .milf top level domain existed, then I am pretty sure, that some adult website's web admins would've been confused why they were getting confidential military secrets

Sources
https://www.ft.com/content/ab62af67-ed2a-42d0-87eb-c762ac163cf0 -> Article from FT, highly recommended, goes into great detail

https://arstechnica.com/information-technology/2023/07/typo-leaks-millions-of-us-military-emails-to-mali-web-operator/

https://www.theverge.com/2023/7/17/23797379/mali-ml-typo-us-military-emails-leak

[Levent]

I laughed my ass off when I first heard about this too. It’s not that hard to block these too.

[saintlouisbagels]

Obviously the US military is strapped for cash and needs more money to afford a decent cybersecurity team and training program.

[Crunchy Dragon]

 

[TrigrH]

Maybe the US big brained this and all the emails sent were fake intel? 

[Just A Name]

Another point to prove that the US education system is failing /s

[WolframaticAlpha]

On 7/20/2023 at 6:06 AM, TrigrH said:

Maybe the US big brained this and all the emails sent were fake intel? 

But someone sent the plan about planting fake intel to Supersecretfalseintelplan@cia.ml instead of cia.mil

[CarlBar]

Saw an article on this a bit ago, from what i recall the mistype was in an automatic distributing system that was forwarding various widely circulated e-mails to people but had .ml instead of .mil. Also all the highly classified info moves through an independent network so a mistype like this won't actually result in it leaving the network.

[suicidalfranco]

The incompetence within the public administration of any government in the world never cease to amaze me.

[TetraSky]

I'm not sure how millions of email went to the wrong place.

Unless I'm mistaken because I never hosted my own private email domain... Just because you're sending emails to one domain, doesn't mean they receive them, no?

As in, if I send an email to WolframaticAlpha@US.ml instead of WolframaticAlpha@US.mil, there would need to be someone with that name registered on that domain to receive the email in the first place. Otherwise it'd just bounce and you'd get an email back saying it wasn't delivered isn't it?

[CarlBar]

2 hours ago, TetraSky said:

I'm not sure how millions of email went to the wrong place.

Unless I'm mistaken because I never hosted my own private email domain... Just because you're sending emails to one domain, doesn't mean they receive them, no?

As in, if I send an email to WolframaticAlpha@US.ml instead of WolframaticAlpha@US.mil, there would need to be someone with that name registered on that domain to receive the email in the first place. Otherwise it'd just bounce and you'd get an email back saying it wasn't delivered isn't it?

 

As i said my understanding is it was an automatic forwarding system that had the typo so if someone wasn't checking the error logs or the logging system was obtuse and hard to understand i could see it slipping under the radar. I also assume when you send an e-mail to an address that doesn't exist in another domain it's the other domain that spits back the error. I assume that means theres nothing stopping the Mali government setting things up such that the domain takes, (and acknowledges as valid), and stores any e-mails that don't have a proper receiving address.

[HenrySalayne]

On 7/23/2023 at 2:13 AM, TetraSky said:

Unless I'm mistaken because I never hosted my own private email domain... Just because you're sending emails to one domain, doesn't mean they receive them, no?

As in, if I send an email to WolframaticAlpha@US.ml instead of WolframaticAlpha@US.mil, there would need to be someone with that name registered on that domain to receive the email in the first place. Otherwise it'd just bounce and you'd get an email back saying it wasn't delivered isn't it?

The e-mail address does not link to the inbox directly, but to the domain. Any e-mail which is send to the same domain (e. g. @us.ml) will arrive there. Then it's up to the server to decide what to do with the e-mail. Generally the mail is put into the inbox of the account matching the e-mail prefix, but literally anything can be done with it. The server has the mail and it's contents no matter what.

 

[ballfun]

Not sure if this is actually directly related but .ml is now straight up went offline without warning