Up to 300,000 Iranians may have had their Google email monitored using security certificates stolen from Dutch firm DigiNotar.
The figure came from a report into the breach at DigiNotar which let attackers generate hundreds of fake certificates.
The report suggests the certificates were used in Iran to eavesdrop on email accounts.
The list has been passed to Google so it can tell victims they may have come under government scrutiny.
On 30 August, security firm Fox-IT was called in to analyse the sequence of events at DigiNotar that led to the security breach. It published its interim report late on 5 September.
Read more on BBC. Their link to the Fox-IT report was 404, but Cryptome uploaded a copy of the report on Cryptome. The Associated Press also covers the breach.
In related news, F-Secure reports that the hack appears to be the work of an Iranian known as”ComodoHacker.” In a Pastebin post called “Striking Back,” ComodoHacker provides some of his motivation for the attack:
When Dutch government, exchanged 8000 Muslim for 30 Dutch soldiers and Animal Serbian soldiers killed 8000 Muslims in same day, Dutch government have to pay for it, nothing is changed, just 16 years has been passed. Dutch government’s 13 million dollars which paid for DigiNotar will have to go DIRECTLY into trash, it’s what I can do from KMs away! It’s enough for Dutch government for now, to understand that 1 Muslim soldier worth 10000 Dutch government.
The public prosecution department has begun an investigation into events at internet security firm DigiNotar to find out if it should be held responsible for the security breakdown covering hundreds of websites, home affairs minister Piet Hein Donner told reporters on Monday evening.