Many of you received our email or saw online that name.com was hacked. The truth is that it’s one of the more painful admissions that can be made on the Internet. We want you to know that when we say that we “give a shit” we truly mean it. In an effort to maintain the open, honest, and transparent reputation we’ve built for ourselves, we’re going to give you the lowdown on what happened and what we did in response.
Our security team alerted us that unauthorized individuals had accessed our database. After doing some digging we found that the attack seemed to be geared toward a few specific accounts. The hackers had a target and name.com was a means to that end.
The information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords and encrypted credit card data. EPP codes (required for domain name transfers) are not stored in the same place so those were not compromised. For the techies who are wondering, the encryption on the credit card information is 4096 bit RSA. Since the password hashes were compromised we took proactive steps and initiated a site-wide password reset (hence the email, apologies for the inconvenience).
We are genuinely sorry for the annoyance and the scare. We’re taking this incredibly seriously and are doing everything possible to continue to improve the security of our systems. We greatly appreciate the support across the web and over the phones.
silviu
When you say passwords and hashed passwords does this mean they accessed passwords in the clear?
disqus_prLrlJ31Tq
I heard this yesterday.But I didn’t receive any email notice. Is that means the hacked was not my business?
Question
Hypothetically, what would happen if some bad guys managed to transfer domains? What recourse would there be: would it be dealt with by yourselves, or would the previous owners of the domains have to take legal action against whoever the domains were transfered to?
k0nsl
Thanks for being open about it. Kudos!
snowandlights
What were the passwords hashed with? MD5? SHA1? SHA256? Bcrypt? Would really appreciate an answer to this question.
namedotcom
Hey Iris – Bcrypt.
namedotcom
Hey there, good question. What’s your username? You can post it here or email customercare@name.com and we can look into why you haven’t received the notice. It went out to all active accounts at name.com to the administrative email address associated with the domains in the account.
namedotcom
Hey, we’re not looking to get into hypotheticals here because EPP codes were completely unaffected during the hack due to how our system handles those.
namedotcom
They accessed hashed passwords not plaintext. Does that answer your question?
Ahmed Osama
This is not true, Someone has accessed and changed the whois data of my domains and transferred them outside name.com !!!!!!!!!!
namedotcom
Please email support@name.com and they can help you out but EPP codes were not accessed during the hack.
snowandlights
Thank you very much for the timely reply and good security measures.
Ahmed Osama
the support are so slow. they answer after several days. which is not the expected speed for such essential service
namedotcom
What’s your ticket number? I can follow up with them for you if you’d like.
Ahmed Osama
i appreciate your cooperation
#300400
#296653
#285552
namedotcom
Looks like the ticket has been assigned to our compliance team since it is sensitive and needs further review. We take these claims very seriously and have a process we need to follow. I’ve followed up with them for you, thanks for your patience.
monokrome
Were they encrypted or just hashed? What hashing algorithm was used? A common GPU can crack millions of hashes a second.
Mochammad Masbuchin
Hi, would you mind to follow up my ticket?
#300662
namedotcom
I know since then we’ve made a few updates but i’ll have to consult of one our developers on this! 🙂
Ahmed Osama
Thanks for your care, but is there any hope that the transferred domains can be recovered back to name.com ?
namedotcom
Honestly I can’t say without reviewing all the details of the case. I do know that Ryan is on the case so you are in good hands but i’m sure you can understand we receive a lot of cases like this and they are very delicate so we’ve got to be thorough in our review. Best of luck to you Ahmed.
namedotcom
Hey Mochammad, keep an eye out from our customer support team in the next few minutes I just hit them up with your case number for a follow up. I see you also hit up Twitter – our CS rep will be able to tell you more but if you are having trouble accessing your account you can try to use our lost password tool here: https://www.name.com/tools/get_password
Apologies if you already tried that – wanted to help out in the mean time.
Josh
Encrypted passwords are even worse! Encrypted means an attacker can decrypt them, with very little effort, should they find the key (or the key is simple). Using hashes is the correct method, but everyone has a duty to pick a long, complex (ie. secure) password. Generally try for 8 characters or more, using mixed case, numbers, and symbols (ie. !%#). A GPU can’t even keep up once you’re at that complexity as it increases exponentially.
Also, hopefully the passwords used a salt, such as the user’s email, so an attacker would have to brute force everyone’s passwords individually, not all at once, and cannot use rainbow tables.
scragg
well… what was the work factor set at? 😉
silviu
Indeed it does, thank you.
Ahmed Osama
Dear Sir,
I didn’t receive any response till now, although the matter is extremely urgent and my domains are top ranked and from the high traffic names. please i need to contact someone directly. i need a direct contact with someone. I can’t wait till my sites are completely down or sold out !!!
Asif2BD
Thats better then MD5 or SHA.
wangyoujianzhan
Dear Sir!!!!!!!!!!!
I have sent many times mail to you, because my account is theft!
But you never reply to me, out of the solution should be right, you have not go to solve, just said you were attacked.
I understand your pain!
But please give me a reply!!!!!!!!!!!
I wrote many emails to your email.
My email is: menkou@gmail.com
The stolen account is: wangyoujianzhan
Please contact me immediately.
wangyoujianzhan
Dear Sir!!!!!!!!!!!
I have sent many times mail to you, because my account has been stolen!
But you never reply to me, out of the solution should be right, you have not go to solve, just said you were attacked.
I understand your pain!
But please give me a reply!!!!!!!!!!!
I wrote many emails to your email.
My email is: menkou@gmail.com
The stolen account is: wangyoujianzhan
Please contact me immediately.
MENJ
The transparency is commendable despite the security breach. Kudos to Name.com, I will always be your customer.
Gilles Dubuc
This is incorrect, the compromised passwords were hashed unsalted with sha1(sha1_bin()) a.k.a. MySQL 4.1+’s PASSWORD(), for which there are rainbow tables widely available.
Take 9gag’s hash from the sample queries shown by HTP:
select account_name,account_pass,id,password_hash from tbl_account where account_name like ‘%9gag%’ [1]:
[*] 9gaginc, , 734905, *198BF6E97FD7198BECB966515FBDECD5950E444B
It shows up in some rainbow tables. Which is not a surprise, given how weak 9gag’s password was. Anyone can run this on a MySQL server configured with that hashing scheme to verify:
SELECT PASSWORD(‘harry1’);
*198BF6E97FD7198BECB966515FBDECD5950E444B
A site-wide reset of password sounds insufficient, you need to improve the way you store people’s passwords. And every name.com customer should realize that their hashed password at the time of the exploit is probably on the loose and subject to being found in rainbow tables or bruteforced. They’re better off never using that password again for anything.
jaredatname
Appreciate it!
jaredatname
Have you emailed support@name.com? I’ll send your account to support so they can take a look at this.
Independent
How do you equate this blog post with transparency? What did you learn from this blog post that wasn’t already disclosed in HTP Zine 5? If you didn’t read HTP Zine 5, then you’re not adequately informed regarding this issue. I’m still waiting to learn how Name.com was hacked and when they first learned of it. I’ve yet to receive any information from Name.com that indicates they knew about the hack before I did (when HTP Zine 5 was published). If I don’t receive such information soon, my company’s domains will be transferred to a different domain registrar.
namedotcom
We have increased the minimum requirements for name.com account passwords and changed to a salted hash for password storage. Customers are also not allowed to use the same password which was used previously. You are correct that the passwords at that time should no longer be used. We did our best to convey this to customers along with all other important information regarding the breach.
namedotcom
“Encrypted” was misused in the original email. It should have said “hashed” passwords. Name.com account passwords have minimum requirements encouraging customers to choose strong passwords. Passwords are now stored in a salted hash.
Guest
My password was changed and I did not do this myself. I am worried my account is compromised, can’t receive the email to reset my password, and my ticket has still not been solved in three full days. This is too long for such a sensitive and important issue. So far my domains have not been stolen but every day the issue goes on for, the greater chance something worse will happen. Please sort this out – ticket #304483
Agus Yulianto
Hi, would you mind to follow up my ticket? #319822
My password was changed and I did not do this myself !!!
Someone has changed my email account !!!