Ako Webmail login page.

Ako Webmail login page.

Ako, or “Useful”, is an Israeli webmail service that allows users to send and receive email via the HTTP protocol. Ako was hacked in 2009, but until recently it has been unclear exactly what information was leaked.

The extent of the breach became public on June 18th, when Security researchers from Trustwave released their findings.

Must Read: Ako webmail

The hack against Ako was implemented through a SQL Injection vulnerability on the login page. We do not know exactly how many accounts were compromised as a result of this hack, but according to Trustwave’s SpiderLabs team over 150GB of data was retrieved from the service. The following is an extract from their report: The attackers were able to dump 150GB worth of customer data that included usernames, encrypted passwords, and email content. The bad news is that the encryption algorithm used by Ako was very weak, so all passwords were quickly decrypted.

In their analysis of the attack, Trustwave’s SpiderLabs team found some interesting facts regarding the habits of the compromised user base. Apparently more than half of the users used passwords that were less than 8 characters long, and 12% of them didn’t even have a password. One could say that Ako Webmail was clearly not built with security in mind, although it is relatively hard to blame them for this as they are far from being the only web-based email service that stores their user’s passwords in cleartext. Even so, such a security practice is unacceptable for any organization dealing with sensitive information.

As if this wasn’t enough, it was also revealed that some of the servers breached were hosting Web portals belonging to Israeli banks and financial institutions. Trustwave’s SpiderLabs team has found evidence that some of the stolen data were used in criminal activities such as fraud.