Millions of US military emails, some containing highly sensitive information, have reportedly been routed to Mali due to a single typo in the email address domain. Instead of entering “.MIL” as the intended domain, “.ML” was mistakenly used, leading to the exposure of data such as diplomatic documents, tax returns, passwords, and travel details of high-ranking officers. The misdirected emails have been landing with a contractor responsible for managing Mali’s country domain. However, control of the .ML domain will soon be transferred to Mali’s government, which has ties to Russia.
Johannes Zuurbier, a Dutch contractor overseeing Mali’s country domain, discovered the “typo leak.” He claims to have made multiple attempts to alert the United States about the issue since 2014, emphasizing the need for urgent action. Unfortunately, his warnings have gone unanswered. As his contract nears expiration and the domain is handed over to the Malian government, Zuurbier began collecting the misrouted emails this year as a final effort to persuade the US to address the situation. In an early July letter addressed to the US, Zuurbier highlighted the genuine risk posed by this incident. He has accumulated approximately 117,000 emails, with nearly 1,000 additional emails arriving on a single day last Wednesday.
While none of the messages were marked as classified, they still contain sensitive information concerning US military personnel, contractors, and their families. The exposed data includes travel plans, such as US Army Chief of Staff General James McConville’s trip to Indonesia in May. Additionally, the compromised information encompasses maps of installations, base photographs, identity documents (including passport numbers), crew lists of ships, tax records, financial documents, medical data, naval inspection reports, contracts, criminal complaints against personnel, internal bullying investigations, and bookings. Among the exposed content is also a Turkish diplomatic letter to the US, warning about potential activities by the Kurdistan Workers’ Party (PKK), which was included in an email from an FBI agent.
Former NSA head and retired four-star US Navy Admiral Mike Rogers emphasized that sustained access to such information, even if unclassified, can be used to generate intelligence. Rogers acknowledged that mistakes happen but highlighted the scale, duration, and sensitivity of the information involved in this incident.
Lieutenant Commander Tim Gorman, speaking on behalf of the Pentagon, acknowledged the issue and stressed that the Department of Defense takes unauthorized disclosures of controlled national security information seriously. Gorman stated that emails sent from the .MIL domain to .ML addresses are blocked before leaving the .mil domain, and the senders are notified to validate the email addresses of the intended recipients. This suggests that the misdirected emails may have originated from personal accounts of US military personnel.