We got hacked

Many of you received our email or saw online that name.com was hacked. The truth is that it’s one of the more painful admissions that can be made on the Internet. We want you to know that when we say that we “give a shit” we truly mean it. In an effort to maintain the open, honest, and transparent reputation we’ve built for ourselves, we’re going to give you the lowdown on what happened and what we did in response.

Our security team alerted us that unauthorized individuals had accessed our database. After doing some digging we found that the attack seemed to be geared toward a few specific accounts. The hackers had a target and name.com was a means to that end.

The information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords and encrypted credit card data. EPP codes (required for domain name transfers) are not stored in the same place so those were not compromised. For the techies who are wondering, the encryption on the credit card information is 4096 bit RSA. Since the password hashes were compromised we took proactive steps and initiated a site-wide password reset (hence the email, apologies for the inconvenience).

We are genuinely sorry for the annoyance and the scare. We’re taking this incredibly seriously and are doing everything possible to continue to improve the security of our systems. We greatly appreciate the support across the web and over the phones.

 


Comments
Harvey Specter
Posted at 12:37 pm May 10, 2013
silviu
Author

When you say passwords and hashed passwords does this mean they accessed passwords in the clear?

Harvey Specter
Posted at 1:12 pm May 10, 2013
disqus_prLrlJ31Tq
Author

I heard this yesterday.But I didn’t receive any email notice. Is that means the hacked was not my business?

Harvey Specter
Posted at 2:12 pm May 10, 2013
Question
Author

Hypothetically, what would happen if some bad guys managed to transfer domains? What recourse would there be: would it be dealt with by yourselves, or would the previous owners of the domains have to take legal action against whoever the domains were transfered to?

Harvey Specter
Posted at 2:48 pm May 10, 2013
k0nsl
Author

Thanks for being open about it. Kudos!

Harvey Specter
Posted at 3:06 pm May 10, 2013
snowandlights
Author

What were the passwords hashed with? MD5? SHA1? SHA256? Bcrypt? Would really appreciate an answer to this question.

Harvey Specter
Posted at 4:42 pm May 10, 2013
namedotcom
Author

Hey Iris – Bcrypt.

Harvey Specter
Posted at 4:44 pm May 10, 2013
namedotcom
Author

Hey there, good question. What’s your username? You can post it here or email customercare@name.com and we can look into why you haven’t received the notice. It went out to all active accounts at name.com to the administrative email address associated with the domains in the account.

Harvey Specter
Posted at 4:46 pm May 10, 2013
namedotcom
Author

Hey, we’re not looking to get into hypotheticals here because EPP codes were completely unaffected during the hack due to how our system handles those.

Harvey Specter
Posted at 4:47 pm May 10, 2013
namedotcom
Author

They accessed hashed passwords not plaintext. Does that answer your question?

Harvey Specter
Posted at 5:01 pm May 10, 2013
Ahmed Osama
Author

This is not true, Someone has accessed and changed the whois data of my domains and transferred them outside name.com !!!!!!!!!!

Harvey Specter
Posted at 5:03 pm May 10, 2013
namedotcom
Author

Please email support@name.com and they can help you out but EPP codes were not accessed during the hack.

Harvey Specter
Posted at 5:18 pm May 10, 2013
snowandlights
Author

Thank you very much for the timely reply and good security measures.

Harvey Specter
Posted at 5:24 pm May 10, 2013
Ahmed Osama
Author

the support are so slow. they answer after several days. which is not the expected speed for such essential service

Harvey Specter
Posted at 5:26 pm May 10, 2013
namedotcom
Author

What’s your ticket number? I can follow up with them for you if you’d like.

Harvey Specter
Posted at 5:31 pm May 10, 2013
Ahmed Osama
Author

i appreciate your cooperation
#300400
#296653
#285552

Harvey Specter
Posted at 5:40 pm May 10, 2013
namedotcom
Author

Looks like the ticket has been assigned to our compliance team since it is sensitive and needs further review. We take these claims very seriously and have a process we need to follow. I’ve followed up with them for you, thanks for your patience.

Harvey Specter
Posted at 5:47 pm May 10, 2013
monokrome
Author

Were they encrypted or just hashed? What hashing algorithm was used? A common GPU can crack millions of hashes a second.

Harvey Specter
Posted at 5:59 pm May 10, 2013
Mochammad Masbuchin
Author

Hi, would you mind to follow up my ticket?

#300662

Harvey Specter
Posted at 6:00 pm May 10, 2013
namedotcom
Author

I know since then we’ve made a few updates but i’ll have to consult of one our developers on this! 🙂

Harvey Specter
Posted at 6:02 pm May 10, 2013
Ahmed Osama
Author

Thanks for your care, but is there any hope that the transferred domains can be recovered back to name.com ?

Harvey Specter
Posted at 6:06 pm May 10, 2013
namedotcom
Author

Honestly I can’t say without reviewing all the details of the case. I do know that Ryan is on the case so you are in good hands but i’m sure you can understand we receive a lot of cases like this and they are very delicate so we’ve got to be thorough in our review. Best of luck to you Ahmed.

Harvey Specter
Posted at 6:10 pm May 10, 2013
namedotcom
Author

Hey Mochammad, keep an eye out from our customer support team in the next few minutes I just hit them up with your case number for a follow up. I see you also hit up Twitter – our CS rep will be able to tell you more but if you are having trouble accessing your account you can try to use our lost password tool here: https://www.name.com/tools/get_password

Apologies if you already tried that – wanted to help out in the mean time.

Harvey Specter
Posted at 8:01 pm May 10, 2013
Josh
Author

Encrypted passwords are even worse! Encrypted means an attacker can decrypt them, with very little effort, should they find the key (or the key is simple). Using hashes is the correct method, but everyone has a duty to pick a long, complex (ie. secure) password. Generally try for 8 characters or more, using mixed case, numbers, and symbols (ie. !%#). A GPU can’t even keep up once you’re at that complexity as it increases exponentially.

Also, hopefully the passwords used a salt, such as the user’s email, so an attacker would have to brute force everyone’s passwords individually, not all at once, and cannot use rainbow tables.

Harvey Specter
Posted at 8:16 pm May 10, 2013
scragg
Author

well… what was the work factor set at? 😉

Harvey Specter
Posted at 6:40 am May 11, 2013
silviu
Author

Indeed it does, thank you.

Harvey Specter
Posted at 7:31 am May 11, 2013
Ahmed Osama
Author

Dear Sir,

I didn’t receive any response till now, although the matter is extremely urgent and my domains are top ranked and from the high traffic names. please i need to contact someone directly. i need a direct contact with someone. I can’t wait till my sites are completely down or sold out !!!

Harvey Specter
Posted at 6:23 am May 12, 2013
Asif2BD
Author

Thats better then MD5 or SHA.

Harvey Specter
Posted at 6:37 pm May 12, 2013
wangyoujianzhan
Author

Dear Sir!!!!!!!!!!!

I have sent many times mail to you, because my account is theft!

But you never reply to me, out of the solution should be right, you have not go to solve, just said you were attacked.

I understand your pain!

But please give me a reply!!!!!!!!!!!

I wrote many emails to your email.

My email is: menkou@gmail.com

The stolen account is: wangyoujianzhan

Please contact me immediately.

Harvey Specter
Posted at 6:37 pm May 12, 2013
wangyoujianzhan
Author

Dear Sir!!!!!!!!!!!

I have sent many times mail to you, because my account has been stolen!

But you never reply to me, out of the solution should be right, you have not go to solve, just said you were attacked.

I understand your pain!

But please give me a reply!!!!!!!!!!!

I wrote many emails to your email.

My email is: menkou@gmail.com

The stolen account is: wangyoujianzhan

Please contact me immediately.

Harvey Specter
Posted at 1:48 am May 13, 2013
MENJ
Author

The transparency is commendable despite the security breach. Kudos to Name.com, I will always be your customer.

Harvey Specter
Posted at 2:22 am May 13, 2013
Gilles Dubuc
Author

This is incorrect, the compromised passwords were hashed unsalted with sha1(sha1_bin()) a.k.a. MySQL 4.1+’s PASSWORD(), for which there are rainbow tables widely available.

Take 9gag’s hash from the sample queries shown by HTP:

select account_name,account_pass,id,password_hash from tbl_account where account_name like ‘%9gag%’ [1]:
[*] 9gaginc, , 734905, *198BF6E97FD7198BECB966515FBDECD5950E444B

It shows up in some rainbow tables. Which is not a surprise, given how weak 9gag’s password was. Anyone can run this on a MySQL server configured with that hashing scheme to verify:

SELECT PASSWORD(‘harry1’);
*198BF6E97FD7198BECB966515FBDECD5950E444B

A site-wide reset of password sounds insufficient, you need to improve the way you store people’s passwords. And every name.com customer should realize that their hashed password at the time of the exploit is probably on the loose and subject to being found in rainbow tables or bruteforced. They’re better off never using that password again for anything.

Harvey Specter
Posted at 4:04 pm May 13, 2013
jaredatname
Author

Appreciate it!

Harvey Specter
Posted at 4:05 pm May 13, 2013
jaredatname
Author

Have you emailed support@name.com? I’ll send your account to support so they can take a look at this.

Harvey Specter
Posted at 9:15 am May 14, 2013
Independent
Author

How do you equate this blog post with transparency? What did you learn from this blog post that wasn’t already disclosed in HTP Zine 5? If you didn’t read HTP Zine 5, then you’re not adequately informed regarding this issue. I’m still waiting to learn how Name.com was hacked and when they first learned of it. I’ve yet to receive any information from Name.com that indicates they knew about the hack before I did (when HTP Zine 5 was published). If I don’t receive such information soon, my company’s domains will be transferred to a different domain registrar.

Harvey Specter
Posted at 10:47 am May 15, 2013
namedotcom
Author

We have increased the minimum requirements for name.com account passwords and changed to a salted hash for password storage. Customers are also not allowed to use the same password which was used previously. You are correct that the passwords at that time should no longer be used. We did our best to convey this to customers along with all other important information regarding the breach.

Harvey Specter
Posted at 10:48 am May 15, 2013
namedotcom
Author

“Encrypted” was misused in the original email. It should have said “hashed” passwords. Name.com account passwords have minimum requirements encouraging customers to choose strong passwords. Passwords are now stored in a salted hash.

Harvey Specter
Posted at 1:23 am May 17, 2013
Guest
Author

My password was changed and I did not do this myself. I am worried my account is compromised, can’t receive the email to reset my password, and my ticket has still not been solved in three full days. This is too long for such a sensitive and important issue. So far my domains have not been stolen but every day the issue goes on for, the greater chance something worse will happen. Please sort this out – ticket #304483

Harvey Specter
Posted at 5:12 am June 18, 2013
Agus Yulianto
Author

Hi, would you mind to follow up my ticket? #319822
My password was changed and I did not do this myself !!!
Someone has changed my email account !!!