We are sorry to report that on January 8th 2020 we were notified that the IMAP server in Germany allowed access with incorrect/empty passwords.
Upon further investigation we found that a configuration error we made allowed anyone with knowledge of the full mailbox name and the IMAP server to gain unauthorized access to mailboxes.
Within an hour of the report we fixed the configuration.
We immediately pulled all of the access logs and searched through them for signs of unauthorized access. For the time frame we searched we did not find any conclusively suspicious access.
While we didn’t see signs of suspicious access that does not mean it did not occur. If you would like a list of IP addresses that accessed your mailboxes in the access log time frame we have, we can provide them.
If you received password reset emails in your Opalstack mailbox before January 8th we suggest that you change those passwords. If you received any other sensitive documents/data in your email before January 8th we suggest that you check to see if any data have been misused.
We regret that this error made it to the live server configuration and we have implemented stricter checks of configuration changes across the platform.
The customers affected by this issue have been privately notified prior to this public disclosure.
If you have any questions or concerns regarding this issue then please reach out to our support team and we’ll be happy to assist.
CEO, Opalstack LLC