Hack 1-29-26 - How can I help!

1/29/2026 at 8:47 PM

I was running an older build and was affected. Upgrade immediately, and check your servers for evidence of tampering. I found .aspx files added and .json settings files modified.

Tim Uzzanti Replied

1/29/2026 at 9:01 PM

Employee Post

We appreciate that, and we feel the same way about our customers. We are working around the clock to address issues within our own environment as well as any challenges our customers may be facing. Unfortunately, there are a lot of bad actors out there, and situations like this can feel overwhelming at times.

If you are running the latest version of SmarterMail, your system is well protected. We were planning to release another Build today (now hopefully tomorrow) that includes additional improvements that have been reported over the last few weeks. These are no major items but we're extremely focused on the smallest of things at the moment.

The breach itself is unrelated to our products and was simply another attempted ransomware attack.

Out of an abundance of caution, once we identified the issue early this morning, we shut down nearly everything across our networks and disconnected all internet access so we could immediately contain and mitigate the situation. This was the best course of action; had we not acted as quickly and decisively, the impact could have been significantly greater.

Hosted customers using SmarterTrack were the most affected. This was not due to any issue within SmarterTrack itself, but rather because that environment was more easily accessible than others once they breached our network.

Fortunately, we are now primarily a Linux-based company, and this incident largely targeted Windows-based systems, which are generally easier to compromise. We took this opportunity to further reduce our reliance on Windows while addressing and remediating the issues today.

We will provide additional information once things stabilize and we are able to respond to the many customers who have reached out while we were focused on containment and recovery.

Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com

t

terry fairbrother Replied

1/30/2026 at 1:39 AM

Thank you for your openness and transparency.

Sabatino Replied

1/30/2026 at 2:51 AM

I'm a bit paranoid about these, but having tickets with active RSAA, I changed the passwords assigned to SM both for their administrative webmail and for RDP access.You never know. That said, I've been quiet these days, but I really think it's absolutely wrong to point the finger at SM. There is no secure software, whether for large or small organizations. I'm still burned by a bad intrusion due to a bug on the MS sql server many years ago. I have learned over time that you always have to be ready for the worst, but it is certainly not the fault of the supplier on duty. I think SM is doing a great job, but we are talking about a very widespread service that is exposed to the public. The fact that there are few times, if not the first one to be discussed, shows the great work done by SM. Instead, I am amazed at the lack of attention of some administrators, ready to attack SM, but then to discover that they had no restrictions on the admin, IP, or 2FA. Forgive me, but I find it absurd. I had the pass reset in the very first days of this story, but checking the logs at hand, besides resetting it, they couldn't do anything else, because there were IP and 2FA restrictions. They tell me I'm being excessive, but I want to be as safe as possible. In addition to network security, trying to respect what Zero Trust Architecture is as much as possible, the rest are backups.

1) Once a day vm backup (same farm on the hypervisor)

2) Every 6 hours, all data via acronis with 7-day retention and immutable at 14 days (in a different provider both administratively and geographically)

3) Every day, the entire VM via Acronis with 14-day retention and immutable at 14 days (in a provider that is both administratively and geographically different from the one in point 2)

4) Data backup every day via Ahsay Backup with 30-day retention (through a different provider than points 2 and 3 and repositories in 2 distinct European areas)

All backups are obviously encrypted and access to the respective consoles is protected by 2fa

After the story of the OVH fire, I don't trust anyone. (I wasn't in that farm, but those who didn't have secondary backups are still crying)

Call me crazy, but I want to be as calm as possible.

This backup policy allows me to recover the entire status of a customer's mailbox in 6-hour increments (obviously, such a request requires a fee).

I've often tried to encourage SM to include a Shadow Copy-related feature that would allow users to independently see what their mailbox looked like on a specific date (a sort of time machine). That would be fantastic... but now I digress.

I wish everyone success in overcoming this difficult time.

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

Sébastien Riccio Replied

1/30/2026 at 3:48 AM

Did the same for RSAA, removed the accounts we gave ST for RSAA and also removed their IP from the allowed RDP access list as a precaution.

I'm reassured the breach was detected quickly and that actions were immediately taken. Good job :)

Sébastien Riccio System & Network Admin https://swisscenter.com

Tim Uzzanti Replied

1/30/2026 at 7:14 AM

Employee Post

Always a good idea to exercise an abundance of caution. Removing information related to RSAs is a wise step.

Regarding your data at SmarterTools, our website, billing systems, account management, and other critical services are on an isolated network at a third location and was not compromised.

The abundance of caution you mentioned is something we practice as well. Things could have been very different if we didn’t do this.

Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com

J

J. LaDow Replied

1/30/2026 at 7:57 AM

In 99% of ransomware attacks, after entry and reconnaissance, data exfiltration is the very next step, then encryption begins. This is because encryption alone is usually not enough to force someone's hand - but leaking the data - that's where the money is at these days with the groups.

We track activities on multiple scraper sites only because we look for signs of point of entry. These groups have massive (combined) egos that usually reveal their tactics. That and the research the security firms against the groups also helps.

Any time we encounter one of these incidents, the number one recommendation we have is to change your network layout. if you're rebuilding from backups, change your configurations - because they will have copies of what you had - they'll know how they got in once - and will do absolutely everything to maintain persistence.

I wouldn't wish this nightmare on anyone - but the above is something to consider once it's happened.

I recommend also that administrators check out Hudson Rock and their info-stealer tracking databases. You would be REALLY shocked at how exposed some companies are.

MailEnable survivor / convert --

R

Robert Biou Replied

1/30/2026 at 8:36 AM

Three days ago, on the 27th of this month, my Windows SmarterMail server was hacked.

The hacker managed to:

- create an administrator user with the name default
- open port 18888 in the firewall
- create a service with the FastUserSwitchingCompatibility32ud.dll and hlp32ud.dll files

Luckily, I was doing a log analysis on the server at the moment the hacker was connected and saw him logged in (he had been logged in for less than 10 minutes).

So I revoked the hacker's access and mitigated the intrusion.

Is my SmarterMail version earlier than 9518?
Yes.

Am I on the previous version because I want to be?
No.

I am a long-time SmarterMail customer and the renewal policy has changed, making it impossible for me to upgrade.

When I purchased Smartermail, the price was:

$899.00 - Smartermail Enterprise Unlimited Domains and Users
$584.35 - Upgrade to a new version.

To renew today, the price is 80% of a new installation ($1,760) and I still have to pay over $900 annually.

In short, when I bought it, the pricing policy was one thing, and it has become another. This new policy is unfeasible for me.

Today, my Smartermail installation and hundreds of others that appear in Google searches are on a version prior to 9518, which probably falls into the same situation as mine.

So what I have is an email service that has become a backdoor, a real burden.

What I see is that SmarterTools doesn't think about its customers. In addition to this mercenary pricing policy change, they remained silent for more than 3 months about a discovered CVE, a silent update changelog, leaving their customers vulnerable.

Tim Uzzanti Replied

1/30/2026 at 8:44 AM

Employee Post

All good suggestions!

Our infrastructure does not look like it did prior and the systems they infiltrated the most no longer exist.

if you survive these events, they can be great learning experiences. We can try and prevent for the unknowns, but when you see a talented hacker group like this in action, you have a lot more info to shape things moving forward.

Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com

Ben Rowland Replied

1/30/2026 at 8:58 AM

My license had also lapsed, and for the same reason. I am along a long-time customer, but I didn't renew my license this summer due to the cost. I did renew it yesterday out of sheer urgency to get back online.

My email system has far fewer clients today than a decade ago, and it's becoming increasingly costly. Even when I switched to Linux, I found I had to increase the computing resources to get acceptable webmail performance, so our hosting costs + licensing costs are rising. I want to pay for the hard work and excellent product put out by SmarterTools, but it's a challenge.

I also want to note that while I saw the update email put out, the risk level and severity didn't resonate with me. I wish that ST had created outbound tickets for all customers - not just those with active licenses - and push this critical information to them. Hindsight is 20/20, of course.

John Quest Replied

1/30/2026 at 9:34 AM

By policy, I (nor the company I work for) allow third party vendors remote access to our internal infrastructure, including servers, un-attended. Meaning, it must be done via a "web meeting" in which I observe. The only 2 exceptions are to third party provided virtual machines (which are not configured with any sort of AD connection) or for the service provider that supports our phone system. (But our entire phone system is in a separate firewall zone and has no AD connection to our LAN.)

J

J. LaDow Replied

1/30/2026 at 9:39 AM

We too have been price-shocked over time, but we go back to the math involved if we were to move off of hosting our own services and only offering "resold" services from other providers.

In the end, our observation is that if your SmarterMail installation license is close to the number of registered accounts on that particular server, we have found the cost per user still to be significantly lower than the alternative. Other software will be cheaper, but it also has less features, worse performance, or no future path.

I'm not a fan of it either - but IT in general has moved from a "buy it and own it" to a "subscription model" for almost everything in this "extraction economy". Software development companies have had to adapt to this model and there is no end in sight if we want continued development and enhancements.

As to the notifications - yes, we agree the initial notifications were insufficient. This has changed - and SmarterTools has become much more communicative - including pre-emptive notifications for both 9511 and 9518.

MailEnable survivor / convert --

John Quest Replied

1/30/2026 at 9:56 AM

I'm not a fan of it either - but IT in general has moved from a "buy it and own it" to a "subscription model" for almost everything in this "extraction economy". Software development companies have had to adapt to this model and there is no end in sight if we want continued development and enhancements.

Just to be clear, SmarterMail is not sold by a subscription model. It is a perpetual license. AND, like any perpetual license, maintenance/support/updates/upgrades are most times require a maintenance/support contract.

J

J. LaDow Replied

1/30/2026 at 10:29 AM

Let's be realistic. By all definitions and common terms, the maintenance/support/updates/upgrades agreement is a subscription. That's what I meant.

MailEnable survivor / convert --

John Quest Replied

1/30/2026 at 10:40 AM

Let's be realistic. By all definitions and common terms, the maintenance/support/updates/upgrades agreement is a subscription. That's what I meant.

No, it is not, in the definition of what a software subscription means.

A subscription software license means that when the term expires, you can no longer use the software.

SmarterMail license is perpetual. If you choose not to purchase/renew maintenance/support, you can still use Smartermail.

J

J. LaDow Replied

1/30/2026 at 10:40 AM

Fair enough --

Regardless of the definition at this point, it is agreed that if you're licensed, you can run it - AT YOUR OWN RISK. Yes, the license is perpetual - but if the software is vulnerable, the license is useless unless you can find a version that isn't vulnerable and at this point, that's a non-starter.

Additionally, whether it's a "subscription" or "maintenance agreement" the cost per user is the only place you will see a calculation that validates whether or not a company should be self-hosting or reselling services.

MailEnable survivor / convert --

Ben Rowland Replied

1/30/2026 at 10:43 AM

I am happy to pay it and want to pay it and support SmarterTools - it's just getting expensive.

When something is critical, I shouldn't have to pay to prevent my server from being hacked. They should separate security updates from functionality releases. I will pay to get more functionality if the features are compelling enough (I'll also pay if I need support). I want security to be free even after my license has expired.

Sabatino Replied

1/30/2026 at 11:30 AM

I'm perplexed by this discussion.

We're talking about a mail server, which is among the most exposed services.

But you buy an NGFW firewall and then don't renew your signature subscription.

Then the issue of price increases is another story, but it's still a product that costs much less compared to other services. If I were to migrate my users to Google or Microsoft or whoever else, the costs would be much, much higher.

A lot has changed in recent years.

In Italy/Europe, but I think across the world, we're constantly subjected to new legal obligations (privacy, NIS 2 (cyber security)) that increase operating costs, as well as the threat of hackers... we're at war... and here too, operating costs are rising.

VMWARE is raising prices, Microsoft is raising prices every six months, it's a war. This forces us to review expenses, but also to increase our price lists to end customers. I imagine this is also happening to SM.

In this context, how can I say SM is making a mistake? We need to be honest and realistic about the world today.

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

John Quest Replied

1/30/2026 at 12:08 PM

When something is critical, I shouldn't have to pay to prevent my server from being hacked. They should separate security updates from functionality releases. I will pay to get more functionality if the features are compelling enough (I'll also pay if I need support). I want security to be free even after my license has expired.

That is a non-practical and impossible to fulfil thought process.

As software, and hardware, progress in technology, we can not expect a company to go backwards and say fix a security problem in a software version that is 20 versions old. That would require maintaining an active forking process on each individual version, and is beyond practical.

Sure, some software vendors (albeit less today) would have a multi fork process in place along with major/minor forks, meaning that you can update a software to any minor version for free, but to go to a major version, you have to pay. BUT that requires an entirely different process than what SmarterTools does, and what many software vendors do these days. WHY? Because that is a much costlier process.

Or are you really asking Microsoft to fix vulnerabilities in the XLS file format?

Ben Rowland Replied

1/30/2026 at 1:01 PM

That is a non-practical and impossible to fulfil thought process.

Not really. This is pretty common with software. For instance, Microsoft continues to perform security updates in products long after it has stopped adding new features. They refer to this as Long-Term Support (LTS).

BUT that requires an entirely different process than what SmarterTools does, and what many software vendors do these days. WHY? Because that is a much costlier process.

Yes, that's exactly right. The crux of the problem is that it's very hard for companies to maintain lots of versions of their products and then apply (and test) patches to each of them. Not only would that be hard for SmarterTools to do, it would increase the cost of their product, and probably slow down their release schedule (and pace of innovation).

I don't have the solution here. It's not good for the reputation of the SmarterMail product if lots of their free or out-of-license servers get attacked and compromised. It's not good for us if the price of the product soars.

Here is another example that comes to mind: WordPress took the approach of automatically pushing critical updates automatically to their customers. You don't get a choice - they forcibly install it. WordPress struggled for a long time with security vulnerabilities and part of their solution has been pushing patches. Since they have a massive installed base, they are an enticing target.

Richard Laliberte Replied

1/30/2026 at 1:20 PM

How about we leave it at Smartertools is not a 3 trillion dollar company, if you aren't happy with the amount of work they are putting in, and the cost you are paying, go somewhere else. If you aren't paying for the the updates like most are, and are complaining they aren't providing you a patch, please, go somewhere else and stop complaining. Smartertool's I'm sure won't miss you since you aren't paying for updates to help support development anyways. Good luck when you find out how much everyone else charges.

Just my thoughts though.

J

J. LaDow Replied

1/30/2026 at 1:26 PM

In all reality, even most open source projects only maintain one or two source trees. A stable branch and a bleeding edge.

Stable is what LTS releases are built from, and bleeding edge is self described. Debian/Linux has unstable, testing, stable - but they're often criticized because their stable channel tends to not feel as "recent" as other distributions. That same concept will receive support from system and network administrators mainly because they're more stable. There's nothing that prevents you from updating components as needed - it's just more work.

Microsoft USED to have much more patch support for older EOL'd products IF the vulnerability was bad enough - but over the last decade they have really tightened the noose - especially around Windows 10. Understand that Windows 11 is still a continuation of the same NT code-base they've been building on for close to half a century now. 50% of vulnerabilities they are patching will exist for Windows 10 installs and even older OSes and the only way to get the patches is to pay when on the EOL software. The older their OS, the more patch programs cost.

To circle back to Wordpress - thats a hard comparison to make just on the complexity of the codebase alone - Automatic updates can be worse to deal with than manual simply because they can't always account for configuration differences or customizations. Everything breaks.

TL;DR is that every software vendor in this age concentrates on the "current release" of the software - and support for out-of-band releases will always cost money depending on just how far back they'll support it. Adobe products come to mind in this sense. Almost all Apple hardware and software products come to mind in this sense as well.

There would be incentive to have an LTS program at ST, but it's not in the cards based on the rolling release schedule and it's not economically viable without still charging a fee for access to the LTS release channel (which circles back to what all the other vendors in the server space do now).

What I've learned with SmarterMail is to watch the release notes - the less things that are changed in from one release to the next (barring SECURITY ALERTS) indicates the more stability of the version from what our testing has shown. 9518 (which everyone needs to be on at this point) is also very stable and we have seen no issues other than some new artifacts in the logging that will most likely be cleaned up in future builds.

MailEnable survivor / convert --

John Quest Replied

1/30/2026 at 1:36 PM

Here is another example that comes to mind: WordPress took the approach of automatically pushing critical updates automatically to their customers. You don't get a choice - they forcibly install it. WordPress struggled for a long time with security vulnerabilities and part of their solution has been pushing patches. Since they have a massive installed base, they are an enticing target.

Not true. Especially in hosting environments. Unless someone has either manually or programicly via an API changed the configuration to allow for automatic updates, they will not automatically occur.

Additionally, like J. LaDow stated, allowing WordPress to push automatic updates can break things severely, since there is so much customization and adaptation to WordPress being done in hosting environments.

B

Bill T Replied

1/30/2026 at 2:28 PM

I don't have the solution here. It's not good for the reputation of the SmarterMail product if lots of their free or out-of-license servers get attacked and compromised. It's not good for us if the price of the product soars.

I think there is a difference between a currently supported free version compared discontinued free versions or out-of-license servers. I do not fault or see a lot of shade thrown at companies for not providing free patches for life for everything they've sold or given away. As long as they have made it clear what is supported and what has been discontinued and what the support policy is for the products sold as perpetual, i think it's totally fair.

Here is another example that comes to mind: WordPress took the approach of automatically pushing critical updates automatically to their customers. You don't get a choice - they forcibly install it. WordPress struggled for a long time with security vulnerabilities and part of their solution has been pushing patches. Since they have a massive installed base, they are an enticing target.

Automatic patches are great but they can be a double edged sword. If a patch has a bug and bricks thousands of mail servers, a smaller company like SmarterTools would be brought to their knees trying to help everyone. The manual install of patches allows the patches to roll out more gradually and allows sysadmins to verify, rollback, etc. as needed if something breaks. On the other hand, it would be great to get the servers patched before anyone even knows the vulnerability exists. I don't have a great solutions to this issue.

S

SmP Replied

1/30/2026 at 3:15 PM

Would love to hear how they were able to initiate access as that could help others secure Windows deployments.

25 Replies

Reply to Thread