On April 23rd, an unauthorized party gained access to our customer account at our domain registrar.

A domain registrar is a company that is responsible for controlling which website actually gets displayed when you enter an address (such as www.hushmail.com) in your web browser. Therefore, by breaching security at our domain registrar, the unauthorized party was able to control which website would be displayed when users entered the address www.hushmail.com.

The unauthorized party altered the domain settings so that users entering www.hushmail.com in their web browser were no longer directed to our real website. Instead, users were redirected to a different website at a different location. Soon that website was shut down, and users simply received an error page.

We are following up with our domain registrar to determine how the unauthorized party was able to gain access to their system.

There was no unauthorized access to any of the Hush servers. Data managed by Hush was not compromised. During this period, email sent to hushmail.com may not have been delivered.

Please accept our sincerest apologies for the inconvenience this has caused. We take this incident very seriously, and will continue to update this page as more information becomes available.

Note on Non-secure and Secure Web Pages

Non-secure web pages are accessed by addresses that start with “http://”. The content is not encrypted, and the page source is not verified. The lock icon in your status bar will not be displayed.

Secure web pages are accessed by addresses that start with “https://”. The content is encrypted, and the page source is verified. The lock icon in your status bar will show a closed lock.

If a domain registrar directs you to the wrong website for a secure web page, the verification will fail, and your browser will display errors.

Although the front page and text content of www.hushmail.com can be accessed by either a secure or non-secure web page, sensitive pages such as the pages where you enter your passphrase, access your email, or supply credit card information are always served as secure web pages.

To guard against the danger of domain redirection, always be sure that when you enter your passphrase you are on a secure web page with the lock on your browser closed, and that the address in your address bar says “hushmail.com”. If your browser displays any error messages about the “certificate” that verifies the website, do not continue.

To ensure maximum safety, use secure web pages whenever possible. If you are just browsing the Hushmail website, you can access the secure page at https://www.hushmail.com instead of the page at http://www.hushmail.com.