Millions of U.S. military emails were accidently sent to addresses ending with Mali’s domain name, the Financial Times reported today.

Email addresses and websites affiliated with the U.S. military use the domain name .mil. Email accounts in Mali, meanwhile, end with .ml. Over the course of several years, some users who intended to send messages to .mil addresses accidentally typed in .ml instead.

Dutch entrepreneur Johannes Zuurbier was hired to manage Mali’s domain name in 2013. He told the Financial Times that “millions” of messages relating to the U.S. military were accidentally sent to .ml email addresses over the years. According to today’s report, Zuurbier claims that 117,000 misdirected emails have arrived since the beginning of 2023 alone.

Some of the messages reportedly contained personal data such as medical information, identity documents and tax records. Other emails included details about military bases and ship crews. One message reportedly containe information about a visit to Indonesia by General James McConville, the U.S. Army’s chief of staff.

Some of the emails accidentally sent to .ml addresses were reportedly penned by members of the military and the intelligence community. Others were sent by private contractors, travel agents who work with the U.S. Defense Department and various other parties. According to Zuurbier, the misdirected email trove also included messages that originated from the Australian Department of Defence.

Citing current and former U.S. officials, the BBC reported today that military emails marked “classified” and “top secret” are transmitted through separate systems. Those systems provide a higher level of security. However, the leak of personal records such as those reportedly included in some of the misdirected emails can potentially still pose a cybersecurity risk.

At one point, Zuurbier is said to have set up a system to catch the misdirected messages. However, the system was reportedly “rapidly overwhelmed” because of the large volume of emails with misspelled recipient addresses.

Zuurbier was hired to manage the .ml domain name in 2013 with a 10-year contract. That contract was set to expire today, according to the Financial Times. The BBC reported that control of the domain was set to revert to Mali, a Russian ally.

“The Department of Defense is aware of this issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously,” a spokesperson for the Office of the Secretary of Defense told The Verge in a statement.

The statement elaborated that emails sent from a U.S. military email account to a Mali address are blocked before they leave. The sender is “notified that they must validate the email addresses of the intended recipients,” the spokesperson said.

According to The Verge, that mechanism doesn’t necessarily stop parties such as private contractors from accidentally sending messages to .ml addresses. However, the Defense Department stated that it “continues to provide direction and training to DoD personnel” to avoid potential cybersecurity issues. 

Photo: gregwest98/Flickr