We got hacked


Many of you received our email or saw online that name.com was hacked. The truth is that it’s one of the more painful admissions that can be made on the Internet. We want you to know that when we say that we “give a shit” we truly mean it. In an effort to maintain the open, honest, and transparent reputation we’ve built for ourselves, we’re going to give you the lowdown on what happened and what we did in response.

Our security team alerted us that unauthorized individuals had accessed our database. After doing some digging we found that the attack seemed to be geared toward a few specific accounts. The hackers had a target and name.com was a means to that end.

The information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords and encrypted credit card data. EPP codes (required for domain name transfers) are not stored in the same place so those were not compromised. For the techies who are wondering, the encryption on the credit card information is 4096 bit RSA. Since the password hashes were compromised we took proactive steps and initiated a site-wide password reset (hence the email, apologies for the inconvenience).

We are genuinely sorry for the annoyance and the scare. We’re taking this incredibly seriously and are doing everything possible to continue to improve the security of our systems. We greatly appreciate the support across the web and over the phones.

 




Get the latest discounts delivered straight to your inbox.


  • http://www.sgvulcan.com icebox

    When you say passwords and hashed passwords does this mean they accessed passwords in the clear?

    • namedotcom

      They accessed hashed passwords not plaintext. Does that answer your question?

      • http://monokromatic.blogspot.com monokrome

        Were they encrypted or just hashed? What hashing algorithm was used? A common GPU can crack millions of hashes a second.

        • namedotcom

          I know since then we’ve made a few updates but i’ll have to consult of one our developers on this! :)

        • Josh

          Encrypted passwords are even worse! Encrypted means an attacker can decrypt them, with very little effort, should they find the key (or the key is simple). Using hashes is the correct method, but everyone has a duty to pick a long, complex (ie. secure) password. Generally try for 8 characters or more, using mixed case, numbers, and symbols (ie. !%#). A GPU can’t even keep up once you’re at that complexity as it increases exponentially.

          Also, hopefully the passwords used a salt, such as the user’s email, so an attacker would have to brute force everyone’s passwords individually, not all at once, and cannot use rainbow tables.

          • namedotcom

            “Encrypted” was misused in the original email. It should have said “hashed” passwords. Name.com account passwords have minimum requirements encouraging customers to choose strong passwords. Passwords are now stored in a salted hash.

      • http://www.sgvulcan.com icebox

        Indeed it does, thank you.

  • disqus_prLrlJ31Tq

    I heard this yesterday.But I didn’t receive any email notice. Is that means the hacked was not my business?

    • namedotcom

      Hey there, good question. What’s your username? You can post it here or email customercare@name.com and we can look into why you haven’t received the notice. It went out to all active accounts at name.com to the administrative email address associated with the domains in the account.

  • Question

    Hypothetically, what would happen if some bad guys managed to transfer domains? What recourse would there be: would it be dealt with by yourselves, or would the previous owners of the domains have to take legal action against whoever the domains were transfered to?

    • namedotcom

      Hey, we’re not looking to get into hypotheticals here because EPP codes were completely unaffected during the hack due to how our system handles those.

      • Ahmed Osama

        This is not true, Someone has accessed and changed the whois data of my domains and transferred them outside name.com !!!!!!!!!!

        • namedotcom

          Please email support@name.com and they can help you out but EPP codes were not accessed during the hack.

          • Ahmed Osama

            the support are so slow. they answer after several days. which is not the expected speed for such essential service

          • namedotcom

            What’s your ticket number? I can follow up with them for you if you’d like.

          • Ahmed Osama

            i appreciate your cooperation
            #300400
            #296653
            #285552

          • namedotcom

            Looks like the ticket has been assigned to our compliance team since it is sensitive and needs further review. We take these claims very seriously and have a process we need to follow. I’ve followed up with them for you, thanks for your patience.

          • Ahmed Osama

            Thanks for your care, but is there any hope that the transferred domains can be recovered back to name.com ?

          • namedotcom

            Honestly I can’t say without reviewing all the details of the case. I do know that Ryan is on the case so you are in good hands but i’m sure you can understand we receive a lot of cases like this and they are very delicate so we’ve got to be thorough in our review. Best of luck to you Ahmed.

          • Ahmed Osama

            Dear Sir,

            I didn’t receive any response till now, although the matter is extremely urgent and my domains are top ranked and from the high traffic names. please i need to contact someone directly. i need a direct contact with someone. I can’t wait till my sites are completely down or sold out !!!

  • http://k0nsl.org/blog k0nsl

    Thanks for being open about it. Kudos!

  • Iris Xinzil

    What were the passwords hashed with? MD5? SHA1? SHA256? Bcrypt? Would really appreciate an answer to this question.

    • namedotcom

      Hey Iris – Bcrypt.

      • Iris Xinzil

        Thank you very much for the timely reply and good security measures.

      • http://twitter.com/scragg0x scragg

        well… what was the work factor set at? ;)

      • http://asif.im/ Asif2BD

        Thats better then MD5 or SHA.

      • Gilles Dubuc

        This is incorrect, the compromised passwords were hashed unsalted with sha1(sha1_bin()) a.k.a. MySQL 4.1+’s PASSWORD(), for which there are rainbow tables widely available.

        Take 9gag’s hash from the sample queries shown by HTP:

        select account_name,account_pass,id,password_hash from tbl_account where account_name like ‘%9gag%’ [1]:
        [*] 9gaginc, , 734905, *198BF6E97FD7198BECB966515FBDECD5950E444B

        It shows up in some rainbow tables. Which is not a surprise, given how weak 9gag’s password was. Anyone can run this on a MySQL server configured with that hashing scheme to verify:

        SELECT PASSWORD(‘harry1′);
        *198BF6E97FD7198BECB966515FBDECD5950E444B

        A site-wide reset of password sounds insufficient, you need to improve the way you store people’s passwords. And every name.com customer should realize that their hashed password at the time of the exploit is probably on the loose and subject to being found in rainbow tables or bruteforced. They’re better off never using that password again for anything.

        • namedotcom

          We have increased the minimum requirements for name.com account passwords and changed to a salted hash for password storage. Customers are also not allowed to use the same password which was used previously. You are correct that the passwords at that time should no longer be used. We did our best to convey this to customers along with all other important information regarding the breach.

  • http://twitter.com/buchin Mochammad Masbuchin

    Hi, would you mind to follow up my ticket?

    #300662

    • namedotcom

      Hey Mochammad, keep an eye out from our customer support team in the next few minutes I just hit them up with your case number for a follow up. I see you also hit up Twitter – our CS rep will be able to tell you more but if you are having trouble accessing your account you can try to use our lost password tool here: https://www.name.com/tools/get_password

      Apologies if you already tried that – wanted to help out in the mean time.

  • wangyoujianzhan

    Dear Sir!!!!!!!!!!!

    I have sent many times mail to you, because my account is theft!

    But you never reply to me, out of the solution should be right, you have not go to solve, just said you were attacked.

    I understand your pain!

    But please give me a reply!!!!!!!!!!!

    I wrote many emails to your email.

    My email is: menkou@gmail.com

    The stolen account is: wangyoujianzhan

    Please contact me immediately.

  • wangyoujianzhan

    Dear Sir!!!!!!!!!!!

    I have sent many times mail to you, because my account has been stolen!

    But you never reply to me, out of the solution should be right, you have not go to solve, just said you were attacked.

    I understand your pain!

    But please give me a reply!!!!!!!!!!!

    I wrote many emails to your email.

    My email is: menkou@gmail.com

    The stolen account is: wangyoujianzhan

    Please contact me immediately.

    • jaredatname

      Have you emailed support@name.com? I’ll send your account to support so they can take a look at this.

  • http://twitter.com/IbnJuferi MENJ

    The transparency is commendable despite the security breach. Kudos to Name.com, I will always be your customer.

    • jaredatname

      Appreciate it!

    • Independent

      How do you equate this blog post with transparency? What did you learn from this blog post that wasn’t already disclosed in HTP Zine 5? If you didn’t read HTP Zine 5, then you’re not adequately informed regarding this issue. I’m still waiting to learn how Name.com was hacked and when they first learned of it. I’ve yet to receive any information from Name.com that indicates they knew about the hack before I did (when HTP Zine 5 was published). If I don’t receive such information soon, my company’s domains will be transferred to a different domain registrar.

  • http://twitter.com/ruthwriting Ruth P

    My password was changed and I did not do this myself. I am worried my account is compromised, can’t receive the email to reset my password, and my ticket has still not been solved in three full days. This is too long for such a sensitive and important issue. So far my domains have not been stolen but every day the issue goes on for, the greater chance something worse will happen. Please sort this out – ticket #304483

  • Agus Yulianto

    Hi, would you mind to follow up my ticket? #319822
    My password was changed and I did not do this myself !!!
    Someone has changed my email account !!!