As promised, we wanted to provide additional information regarding the network breach we experienced last Thursday (January 29, 2026), along with summaries of our releases and what we have observed both on our servers and when working with SmarterMail customers who have been compromised.

Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network. Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.

We isolate our networks, as is best practice, in the event of a breach. Because of this segmentation, our website, shopping cart, My Account portal, and several other services remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.

As for what was affected, it was the network at our office and at another data center which primarily had various labs where we do much of our QC work, etc.  At the data center, we hosted our Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory. We didn’t see much affected there and, out of an abundance of caution, we restored some of those servers from the most recent backup, which was six hours old.

Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts.  None of the Linux servers were affected.  

When we first noticed the breach, we instantly shut off all servers at the two locations and we disabled all internet until we completely evaluated all aspects of the breach and either eliminated servers and/or restored servers to be safe.

As a result of all this, our networks look very different than before. We have eliminated Windows from our networks where we could and we no longer use Active Directory services.  Our policy in these scenarios is to replace passwords throughout our network as well.

Another thing to note, Sentinel One did a really good job detecting vulnerabilities and preventing servers from being encrypted. We use multiple virus vendors but we saw great results with Sentinel One and wanted to throw a shout out to them and encourage customers to take a look.  Any virus  scanner you do run on a SmarterMail server,  please be sure to look at our knowledge base article on exclusions so you do not corrupt any files.  Please review here:  https://portal.smartertools.com/kb/a3249/virus-scanner-exceptions-for-smartermail.aspx# 

We hope this helps customers understand the scope of the breach and what steps we took.  More info on what we saw and what we are seeing on customers’ servers that have been compromised are included below.

As mentioned in our previous emails, Build 9518 (January 15, 2026) contains all fixes related to the CVEs that were announced. Build 9526 (January 22, 2026) complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.

It remains challenging to ensure all customers keep their installations up to date. Every build we release has significance. Even smaller security updates can help prevent issues such as denial-of-service attacks that might otherwise consume excessive server memory or CPU, etc.

Email remains as critical today as ever, and threats against mail servers are as high as they have ever been.  The attacks are constantly evolving and technologies are constantly changing, and SmarterTools must make changes that are not always appreciated or understood. Examples include the deprecation of TLS 1.0/1.1 in favor of TLS 1.2 and above, the enforcement of SPF, DKIM, and DMARC requirements by major email providers, and other evolving standards. 

Moving forward, we are continuing to audit all of our products and we will continue working with security companies and independent researchers if/when they find bugs or other issues. We are making continual updates—no matter how small—to ensure our products are as secure and optimized as possible.

As of now, there are no major known security issues with SmarterMail.

In addition, we are making a concerted effort to improve transparency in how we communicate security updates. This situation is unprecedented in our company’s history, and we are learning a great deal from it—with the help of our customers. While we do not anticipate a recurrence, we will approach any future incident even more proactively and effectively than we have.  

As you can imagine, we have been working extensively with customers whose systems were vulnerable to attack. We were compromised by a group known as the Warlock Group, and we have observed similar activity on customer machines.

Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.

They often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.

It is also important to note that CVEs are being discovered across many different products. Some groups install legitimate-looking applications on servers and later exploit. For example, the Warlock Group frequently targets CVE’s in SharePoint and Veeam and has now targeted SmarterMail. Recent Notepad++ update vulnerabilities are another example of how trusted applications can be leveraged to further exploit systems, servers, and desktops.

Based on our observations, the Warlock Group primarily targets Windows environments. We are now primarily a Linux-based company and found no Linux servers exposed to compromise.

We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments. We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.

Finally, we continue to experience elevated support volumes, but response times are improving and are now measured in hours rather than days.