Mailbox.org has several security issues and should be considered for removal as it is advertised to be a secure mailbox solution.
Issues:
Mailbox announced that the user now has the option to deactivate the password reset (and 2FA reset) via IMAP. However, the default setting is that a reset via IMAP is enabled and will reset the password and 2FA. Based on the Support it will stay that way
Far behind competitors regarding features
They don‘t have any security notification or dashboard where you can see sessions, failed logins, recent actions like password changes. No notification when 2FA was activated, when password was changed, when IMAP password has been created etc. unlike Tuta, Fastmail, Proton, etc.
No OAuth or YubiKey support for 2FA
No recovery codes possible for 2FA TOTP
No SPAM/Rejection-Log
Increase of vulnerabilities and minimal response provided by Mailbox team
No roadmap or timeline to implement anti-spoofing for custom domains
A recovery email is not required even when a verification email is. See this post on PG which also links to Proton official documentation for more info.
“Note that if you enter your email or mobile phone number, we only save a cryptographic hash of this personal data. It’s impossible to derive your phone number or email from that hash, and it’s not permanently associated with the account that you create.”
