Mailbox.org with severe authentication vulnerability through password reset

the support of mailbox just confirmed that anybody who has access to the IMAP Application Password or an existing IMAP Access can reset the password with an reset-link to the inbox that automatically deactivates 2FA.

This means that a strong password and 2FA can be easily bypassed. The attacker would only need the IMAP Password that cannot even be created by the user.

This is shocking for a mail provider that claims to be secure. Even GMX a not-private mailprovider with a mixed reputation handles this better: when access to IMAP exists the user would still need the 2FA code to reset the password

This behaviour can not be deactivated (also confirmed by support)

Here are the sources (only in german):

As a mailbox.org user for several years this is adding to my rapidly increasing frustration with their service. Thanks for the heads up.

Same here. I am curious what the privacy guides team says to this. IMHO this is severe enough to remove the service from the recommened providers. I can‘t think of any other email provider that allows this..

image832×628 60 KB

Thankfully they have given response to this query and have taken appropriate action in a timely manner. Their explanation makes sense from an account recovery perspective (although admittedly could be improved upon). Good catch on someone reporting this to support and getting their team to a point where they can course correct.

I think the recommendation to remove Mailbox is a bit severe. Their team has worked hard to provide a quality service which balances privacy, security, and useability within reason. Compared to other providers, I would prefer to continue utilizing Mailbox and recommending the software due to the benefits already described in the recommendations section of Privacy Guides.

Thats good to hear. Lets see how long it takes for them to implement a solution. Sadly the past shows that they are extremely slow in most cases (e.g. the basic 2FA login that we have now was only rolled out in 2025, the anti-spoofing for custom domains was brought up 9 years ago and 2 years ago they said its still on their radar, etc.)

I‘d say its not too severe to propose to remove the service. A provider that always and openly claims to be secure should never have such a vulnerability, and we are not even talking about a vulnerability by accident, this was discussed and approved by the mailbox-team knowing fully well what they are doing here.

And its not only that. In the past months they were (imho) too much problems that make the impression that they don‘t have their security in control.

Just a few examples:

Despite 2FA being activated, the main password was still valid for e.g caldav despite application passwords being supported. And this was after the Beta!

For about 9 hours emails from a catch all accounts were displayed in other mailboxes withing the same domain

IMHO I don‘t have a good feeling anymore about having my central point of digital communcation and the entry point to nearly all my digital accounts at a provider with such security-related problems.

I am curious what else added up to your rapidly increasing frustration

No it does not. That is not what an app password is for. This is complete bullshit, sorry.
I would argue that when someone has your app password you are fucked anyway but surely non of this is good. It reminds me of a similar unfixed vulnerability I reported to Soverin.

So I take it the Privacy Guides team is going to remove Mailbox from the recommended softwares?

Mainly their lack of a clear communication and action on the topic discussed in this thread.

And also (until their recent rollout of a new web interface), the previous web interface was very slow and clunky.

And that a “normal” 2FA took years to implement.

That said, I’m sticking with them, for now. Maybe “rapidly increasing frustration” was an exaggeration. Better would have been “moderately growing annoyance”.

Concur. I do think they have done great work over time. Their suite is one of the snappiest I have used compared to Proton & Tuta. Hopefully they do take this matter seriously and resolve the issue expeditiously (unlike implementation of 2FA). I’m sticking with them for now as well. I would rather not have to do yet another move to a new provider due to new found hot topics.

Hard disagree here. They are far behind other providers regarding features. Just take a look at 2FA: In the year 2025 they managed to get to a level where most other providers are since 10 years.

But more examples:

• They don‘t have an App
• They don‘t have a Roadmap (they never state any plans or even rough estimates on when a feature will be available) unlike Tuta and Proton
• They don‘t offer push on iOS unlike fastmail
• They don‘t have any security notification or dashboard where you can see sessions, failed logins, recent actions like password changes. No notification when 2FA was activated, when password was changed, when IMAP password has been created etc. unlike Tuta, Fastmail, Proton, etc.
• They don‘t support OAuth
• They don‘t support Yubikeys in the current 2FA implementation
• They don‘t offer a SPAM/Rejection-Log unlike Posteo and Tuta. Often Mailbox rejects emails (e.g from GrapheneOS, Xiaomi, Mozilla etc.) independend of your Spam filter settings. Problem is you don‘t know this because you don‘t get any notifcation or overview. Tuta and Posteo both offer an overview of mails that have been rejected by their servers and why.
• Still providers that simply reject all mailbox email addresses (e.g. Twich and soundcloud)
• The suite may be fast but still riddled with bugs e.g. random switching between dark and light mode, missing translations, random often logouts (just take a look at the pinned threat in the userforum)
• No recovery codes possible for 2FA TOTP

Now, trust has been damaged regarding their security, I can‘t really think of any good reasons to stay at mailbox or go there as a new user.

EDIT: I know this sounds pesimistic, but its not my goal to discredit mailbox here, but I have to be realistic and objective. The email provider is such an important aspect of the digital life that you just can‘t take many compromises even if you like the company behind it.

Thank you for the clarification. Realistically and objectively this is a list of great points to not have Mailbox on the list of recommended mail services. I know my posts are biased and favored towards the Mailbox team.

I suppose my follow up to add on the conversation is why was it placed in the recommended section the first place?

It seems like looking back and the points pointed out in the thread indicate the service has been sub-par for several years and is doing the community a disservice by placing Mailbox as one of three recommended providers. I switched over to Mailbox from Outlook and Proton a couple years back and didn’t know there were this many issues with the product itself. The only reason why I switched to Mailbox and not Tuta was because it was a lesser known, but recommended service.

I’ve also been dissatisfied with Mailbox for the reasons you’ve listed but I’m still on Mailbox because I’m not aware of any other privacy-friendly email provider that:

• Is reputable / not brand new
• Supports IMAP in some form
• Supports CardDAV (or otherwise syncs with phone contacts)
• Supports custom domains

Tuta, Proton, and Posteo all fail at least one of the above. Mailfence made a topic a few months ago but then disappeared when asked for specifics on their privacy claims. IMAP is the only one I could possibly flex on, but Proton and Tuta don’t support CardDAV so it’s a moot point anyways.

I don’t know where to go other than Mailbox. FastMail? Am I missing any decent options here?

I don’t think you are missing any other decent options. I just went on the deep dive down what is out there (outside of the typically recommended Protonmail, Tuta, and occasional Posteo).

I don’t think anything other than Mailbox meets your parameters. The ones I have found which have 3/4 are brand new and not really well vetted through the industry. I was going to mention Mailfence until I started digging more in the forums here. Yikes. It is slim pickings it would seem.

CardDAV is such a killer feature. I wish it was available on more mail clients. I am right there with you on willing to give on IMAP, but CardDAV + Custom Domains just doesn’t seem to be a thing out there in the privacy respecting world of email providers. I may put in a request with Tuta to see if they could make it a feature on the roadmap or something.

Until then, I am going to try and get around to posting an issue this week requesting on Git for removing Mailbox.org from the list of recommended products given the conversation in this thread.

Still not fixed..

Update: mailbox announced that the user now has the option to deactivate the password reset (and 2FA reset) via IMAP. However, the default setting is that a reset via IMAP is enabled and will reset the password and 2FA. Based on the Support it will stay that way

Source? I as I understand it, they acknowledged the issue and merely plan to rectify it.

I found it! Thanks a lot!

It’s under Security and Privacy > Password reset > Allow a password reset link to be sent to my email address (IMAP).