Typo sends millions of US military emails into hands of Russian ally Mali

For years, U.S. military emails have ended up in the hands of a Russian ally. This massive problem was caused by a simple typo.

The domain of U.S. military email accounts is “.mil.” However, it was discovered that millions of emails were mistakenly sent to “.ml” accounts.

“.ml” is the domain of Mali, a West African country that is allied with Russia. Some of the military emails that were sent to the Russian ally’s domain contained sensitive information like passwords, medical records and the itineraries of top officers.

Dutch internet entrepreneur Johannes Zuurbier identified the problem more than 10 years ago. He has had a contract to manage Mali’s “.ml” domain since 2013.

In recent months, Zuurbier has collected thousands of misdirected emails. None of the emails were marked as classified. However, some of them included medical data, maps of U.S. military facilities, financial records, planning documents for official trips, and diplomatic messages.

The entrepreneur sent a letter to U.S. officials earlier in July, warning that his contract was due to finish soon. The Mali government took over the “.ml” domain Monday, July 17.

Also Monday, National Security spokesman John Kirby was asked what the Biden administration was doing to address the issue.

“I would first point you to our colleagues at the Department of Defense. This is really more for them to speak to, but as I understand it, they have now for quite some time, have in place a tool that that stops outbound emails that don’t have the ‘.mil’ at the end from going,” Kirby said. “But when it’s inbound to a ‘.mil’ address without ‘M-I-L’, there’s not a lot that the Pentagon can do to stop that. But they’ve obviously been mindful of this for quite some time and have been, again, working on outbound fixes and working on training for any problems of inbound traffic.”