LONDON -- A small spelling error has resulted in thousands of emails intended for the U.S. military being sent instead to Mali, an issue that Pentagon officials said they've taken steps to mitigate.
The suffix used for U.S. military emails is .mil, but leaving the "i" out by mistake would result in the email being redirected to .ml -- the domain used by government of the West African nation Mali.
"Since 2015, the Department of Defense has been aware that typographical errors could result in the misdirection of unclassified emails intended for a '.mil' recipient to the '.ml' domain," Lt. Commander Tim Gorman, a U.S. Department of Defense spokesperson, told ABC News.
The Pentagon building is seen in Arlington, Virginia, U.S. October 8, 2020.
Erin Scott/Reuters
Some of the emails sent to Mali reportedly reportedly contained sensitive Pentagon information such as diplomatic documents, passwords and the travel itinerary of top defense officers.
U.S. officials are "aware of these unauthorized disclosures of controlled national security information," Sabrina Singh, a Pentagon spokesperson, said on Monday.
Speaking to the Financial Times, Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali's county domain, said he identified the problem almost a decade ago. Zuurbier, who said has been collecting misdirected emails since January in effort to flag the issue to U.S. authorities, said he has close to 117,000 misdirected messages.
In one day, Zuurbier receiving 1,000 misdirected emails arrived as a result of the typo, he told the newspaper.
None of the redirected emails were marked as "classified," however some are reported to have contained "highly sensitive" data including information on serving U.S. military personnel, official itineraries, contracts, maps and images of bases, he said.
The Pentagon said it's taken steps to stop outgoing emails from being sent to the incorrect domain.
"The Department takes all disclosures of Controlled National Security Information or Controlled Unclassified Information seriously and the Defense Information Systems Agency (DISA) began blocking .ml lookalike domains immediately," Gorman said.
He added, "By 2023, the Defense Information Systems Agency (DISA) was blocking outbound emails to 135 .ml domains and subdomains. In July 2023, DISA began blocking outbound email to the entire .ml domain with the ability to allow legitimate emails."
The Department of Defense says it is coordinating with interagency, industry partners and international allies to alert them to the possibility of unauthorized disclosure of information due to the typographical error.
Mali's government did not respond to ABC News' request for comment.