Someone I knew had emails disappearing in gmail, and at somepoint we were able to see it happening in realtime. Person had a weak password, and gmail showed someone being logged in from a strange location. Logged everything out and changed to new password and been OK since.

Call me paranoid, but I wouldn't trust an account after somebody has broken in.

In that case I'd create a different account with a different password, possibly at a different provider, and tell all people that my email address changed. Maybe I'd also create a forwarding from the old to the new account, but only for transition period over a few months.

it's gmail, if you change the password the other person is out. It's not a computer. You can also log out all active sessions.

That would be an incredibly inept and stupid interception operation.

OTOH, mails disappearing is not exactly uncommon.

I call bullshit.

Inept malware happens, but yeah, i'm not sure I'd expect inept malware in an email intercept operation.

I once helped someone diagnose a 'broken' WordPress operation. It had unpatched vulnerabilities, and had been infected with malware that appeared to make it click on ads somewhere or other, from what I could tell. But the only reason it was even discovered is it also brought down their site with a syntax error in a *.php file. If they had kept the site up and running, the owners probably never would have noticed that their WordPress installation was periodically simulating clicks on ads in the background.

How likely is it that this kind of security review will reveal something that is not already known to these three letter agencies? I would assume they already spend quite much money and time to perform similar reviews to find potential weaknesses.

It could be something in email infrastructure. Happens sometimes when they encounter email bodies or headers they don't expect. If anyone has their contact info, tell them to send the messages as text or files encrypted with GPG. Attachments to normal emails. If problem persists, do it from fresh accounts negotiated over the phone given its encrypted, authenticated comms. Otherwise, use a file drop service, IRC, something weird they probably aren't equipped for. Do it over various WiFi spots if they're blocking transport layer.

They could've used a temporary dropmail acc or something more convenient like protonmail to avoid that problem. I mean, what do they expect?

Of course emails are intercepted, that's the easiest thing to do with that unsecure protocol.

There are plenty of secure options to use for mailing.

Though having your mailserver under your own control is step 1 they skipped here. I tend to find it sad when (tech, and specially security/audit) parties don't (if they can't or don't want i don't care so much about) host their own mailserver and simply house it at google or similar party.

Actually while writing it, it should be slightly embarrassing for them, a security, auditing company they can't even tell what actually happened with their email communication.

I think the biggest problem with hosting your own email servers is to get other mail server providers (google, microsoft, etc) to trust them (through ranking). It can take ages until your email stops going directly to your customers/subscribers spam folder which literally means loosing some business opportunities.