The service, which aimed to offer users a better email experience by scanning messages and attachments for malware before they arrived in one's inbox, saw the beginning stages of its downfall on Monday, when Romero first noticed that several data centers were down.
Hours later, everything was gone, including mail hosts, virtual machine hosts and an SQL server cluster.
It's presently unclear why VFEmail was attacked. Romero indicated on Twitter that the hack wasn't part of a ransomware attack. "Just attack and destroy," he wrote.
A final tweet from VFEmail on Monday states that there is a slight possibility of one server being restored, but that the chances are limited.
What's even more concerning about this particular attack, Romero Notes, is that every aspect of the VFEmail system had a different password. "That's the scary part," he told his followers.
In an update posted on the company's website, Romero wrote that new email was being delivered, and that efforts to restore any data possible would continue.
"We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9," the posts reads. "This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can."
Speaking with KrebsOnSecurity on Tuesday, Romero revealed that he was able to recover a backup drive that was hosted in The Netherlands. He also noted that the hacker appeared to have committed the act from a Bulgaria-based server.
"I haven't done much digging yet on the actors," Romero told the publication. "It looked like the IP was a Bulgarian hosting company. So I'm assuming it was just a virtual machine they were using to launch the attack from."
"There definitely was something that somebody didn't want found. Or, I really pissed someone off. That's always possible," he added.
This latest attack, however, isn't the first time that the service was shuttered by hackers. In 2015, 2017 and 2018, VFEmail went through major hurdles after being disrupted by a series denial-of-service attacks, according to KrebsOnSecurity.