Millions of US military emails have been mistakenly sent to Mali, a Russian ally, because of a minor typing error.

Emails intended for the US military’s “.mil” domain have, for years, been sent to the west African country which ends with the “.ml” suffix.

Some of the emails reportedly contained sensitive information such as passwords, medical records and the itineraries of top officers.

  • Mic_Check_One_Two@reddthat.com
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    That’s what we in the cybersec business call an “oopsie daisy I made a little fucky-wucky”.

    For real though, this isn’t a problem yet. The TL;DR is that Mali has a top-level domain “.ml”. Just like “.co.uk” for the UK. And the military uses the domain “.mil”. So lots of emails accidentally get sent to “[Military email]@[Military email server].ml” instead of sending to .mil.

    So a bad actor could simply set up an e-mail server with .ml domains that mirror the military’s .mil ones, and start collecting all of those mis-addressed emails.

    So why isn’t it an issue yet? Because we had a contract with Mali to manage their domain. They literally signed administrative rights for the .ml domain over. So the US was able to basically set up their own .ml mirrored sites, to capture all of those mis-addressed emails. They have captured thousands throughout the years, because military members keep misaddressing their emails. Supposedly containing all kinds of sensitive data. Everything from medical records to troop movements and equipment inspection reports.

    But that contract ends this week, so Mali could 100% start registering their own domains when that contract expires and domain registrations begin expiring.

        • livus@kbin.social
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Me too. There’s a guy who sometimes fat fingers my email address instead of his own, over the years I’ve had a bunch of his receipts and confirmation emails.

        • tegs_terry@feddit.uk
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          It was a single letter, so I’d say it was a small one, but minor? Given the implication I’d say it’s pretty far from minor. It’s a typo that should’ve been preemptively avoided; all it took was the appropriate amount of caution and foresight. That it wasn’t acknowledged as a problem immediately is astounding, but that it continued to happen for years without knowledge is most definitely unbelievable.

    • Yendor@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      1 year ago

      Who are you talking about? The ICAAN? (The Internet Corporation for Assigned Names and Numbers)?