BleepingComputer reports that nearly 3.3 million internet-exposed IMAP and POP3 email servers were identified by Shadowserver to be vulnerable to network sniffing attacks due to their lack of TLS encryption that leaked usernames and passwords.
"This means that passwords used for mail access may be intercepted by a network sniffer. Additionally, service exposure may enable password guessing attacks against the server," said Shadowserver, which urged operators of at-risk IMAP/POP3 email servers to not only activate TLS but also consider VPN usage. Such a discovery comes four years after the National Security Agency urged the immediate replacement of archaic TLS protocol versions as Google, Microsoft, Apple, and Mozilla moved to implement the latest TLS 1.3 protocol months earlier. "Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks. Attackers can exploit outdated transport layer security (TLS) protocol configurations to gain access to sensitive data with very few skills required," said the NSA.
