Welcome to September. It’s a new month and this yields another security and hacking incident.
Back in August, The Register reported that the largest ever quotient of email addresses, usernames and passwords had been put together by groups of Russian hackers. You can read their full report on this here.
These hackers collected this data over many months, gaining access to these user credentials through vulnerable/poorly secured databases and backdoors/malware installed on insecure computers around the world.
Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. Upon investigation, we determined that the username and password data gathered from third party sites, likely the data identified by The Register (i.e. not Namecheap) is being used to try and gain access to Namecheap.com accounts.
The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts.
The vast majority of these login attempts have been unsuccessful as the data is incorrect or old and passwords have been changed. As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement.
While the vast majority of these logins are unsuccessful, some have been successful. To combat this, we’ve temporarily secured the Namecheap accounts that have been affected and are currently contacting customers involved requesting they improve the security for these accounts.
If you receive an email alert from us stating that your account has temporarily been secured, don’t worry. We’ve proactively taken this step as a security measure to help defend you against this attack. We will need you to verify your identity to us and we will then issue you with new login credentials, including a new, stronger password.
Once verified, you will regain access to your Namecheap account. Now is a very good time to enable 2 factor authentication. You can get help doing this from this knowledgebase article – https://www.namecheap.com/support/knowledgebase/article.aspx/9253/45/how-to-two-factor-authentication.
I must reiterate this is not a security breach at Namecheap, nor a hack against us. The hackers are using usernames and passwords being used have been obtained from other sources. These have not been obtained from Namecheap. But these usernames and passwords that the hackers now have are being used to try and login to Namecheap accounts.
Our early investigation shows that those users who use the same password for their Namecheap account that are used on other websites are the ones who are vulnerable.
If you haven’t been affected by this but you know that you use the same username and password on multiple websites including Namecheap, now is a very good time to go in and update your password to something more secure.
This attack serves as a timely reminder that as netizens, we constantly face new and evolving security threats. There are groups out there whose sole intent is to steal our identity, gain access to our bank or credit card information or defraud us. And this is a problem that isn’t going to disappear any time soon.
As a netizen, you can make all of your internet presence more secure, including your Namecheap account, by practicing a number of simple yet effective precautions:
- Choose strong, hard to guess passwords. Don’t go for a dictionary word and include numbers and symbols. If it’s hard to remember, use a secure password manager such as LastPass.
- Do not use the same username/password for multiple websites. We believe that the small number of accounts that were accessed due to them sharing the username/password with other, third party sites.
- Change passwords frequently (at least once per month). While this is an inconvenience, it is much less of an inconvenience than someone stealing your account, your identity or your credit card information.
- Enable 2 factor authentication wherever possible. Your Namecheap.com account supports 2FA, as do most other service provider accounts.
- Practice good local security. Scan your PC/Mac regularly for malware. This malware often sits quietly in the background, waiting for you to login to a website then capturing these credentials and sending them back off to hacker home base.
- Use encrypted, SSL connections for all of your websites. SSL certificates are inexpensive and make obtaining that username/password hash much, much harder to obtain.
- When you’re in Starbucks on an unsecured, open wifi hotspot, don’t login to anything unless its via a https:// connection. Ideally, use a VPN to further tighten up security when on an open hotspot.
At Namecheap, we remain committed to practicing good security while also being open about the threats that we face. All passwords we store are encrypted, using the highest security encryption methods. We run a multitude of firewalls and intrusion detection systems and constantly review our defense mechanisms.
We’ve chosen to go public with today’s incident to try and generate greater public awareness of the security issues that stem from areas outside of our control. Good security is a joint effort between service provider (us) and customer (you). Following the recommendations I made above is a very good start to practising better security.
We hope this serves as a both warning and heads up to other service providers and anyone that guards customer data that you too may be at risk from this mass of compromised account data. Now is a good time to challenge customers to update their credentials or enable two factor authentication. And the time is now for us to work together in defeating these security breaches. To back this up, we’re willing to share a list of the “bad IPs” – the IP addresses that we believe the perpetrators are using to try and gain access to accounts with us, and elsewhere. We will be releasing these at our discretion. Please contact firstname.lastname@example.org if you’d like to request this list.
IMPORTANT: If you are a customer that has questions about this issue, please contact our support team through the usual channel.
What do domain transfers have to do with saving elephants? Not much. But here at Namecheap, we can’t help it. We love Planet Earth and all its inhabitants. We know it’s our responsibility to care for the world we live in. That’s why we recycle everything that can be recycled, in all our offices. That’s why we help raise funds for conservation organizations every year on Earth Day. And that’s why we’re honoring World Elephant Day this year.
World Elephant Day is August 12, 2014. Every day, 96 elephants are killed in Africa. We think that needs to stop. So, between August 12 and August 15, we offer this: Use coupon code SAVEDUMBO to transfer your .com, .net or .org domain to Namecheap for only $7.88 for the first year. We’ll give you the best customer service you’ve ever experienced in your life, and we’ll donate $1 to Save the Elephants for every transfer.
Click here to learn more. And thanks for helping Namecheap help wildlife.
It turns out that even an awesome company like Sony can overlook important-but-mundane tasks, such as renewing their domain registrations. The company’s gaming website recently went offline (temporarily, of course) because the domain expiration notices were landing in an unread email box. Click here to read the full story.
It can happen to anybody. So, we offer this friendly reminder: Set all your domains to auto-renew. It’s easy. Have a look at our Knowledgebase article to learn how.
Today, Google officially announced that using a secure https:// connection (achieved through the use of a SSL Certificate) increases the ranking of your site in its results.
For some time, many in the SEO community have suspected that using a secure https:// connection had benefits. Matt Cutts, the head of the Webspam team at Google, and currently on extended leave, previously suggested he’d like all sites to use a secure connection where necessary. And this announcement, just a couple of months later, proves that Google is starting to use the presence of a secure https:// connection as a ranking factor.
Namecheap is one of the leading SSL retailers globally. And we’d like to see you get a SEO boost for your websites by installing one of the certificates that we provide.
To this extent, we’re offering a limited time promotion on our Comodo Positive SSL certificates. Using the coupon code ‘SSLRANK’ you can get one of these certificates for just $4.99 for the first year. The coupon code is valid though 31st of August, 2014.
To order one of these certificates and take advantage of our promotion, please visit https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
Privacy-invasive legislation has come back from the dead. This week marks the US Congress’ fourth attempt in four years to pass “cybersecurity” legislation. The recently introduced Cybersecurity Information Sharing Act (CISA) strongly resembles 2012′s CISPA, which Namecheap customers helped fight and defeat.
CISA goes even further than CISPA did, granting companies more power to gather user communication data and turn it over to the government without a warrant, including sending info to the NSA. CISA also gives companies broad immunity to spy on and even launch countermeasures against potentially innocent users.
Want to get involved? Click here to read EFF’s full article on the issue and/or click here to email your US Representatives and let your voice be heard. CISA is moving through Congress right now – there’s no time to waste. Thanks for joining the fight for our online privacy and internet freedom.
Innovation needs people who dare to take the first step to do something great, and July is a month famous for innovation. It was 238 years ago that John Hancock put the first signature on the Declaration of Independence, and 45 years ago that Neil Armstrong put the first footprint on the moon.
Don’t wait to be great.
We want to help you take your #GiantLeap online.
For the month of July (this offer is now expired!), you can get a .US domain name and 1 year of private email for $0.98. See the details here https://www.namecheap.com/promos/2014/giant-leaps.aspx
Tweet us @Namecheap to show us what you are up to, and we will share the best right here.
Nathan, Namecheap Marketing
The .biz domain extension was created for business clients. It’s instant, powerful protection for your brand – users immediately know your site is all about business. And because it’s less popular than .com, your preferred domain name is more likely to be available.
Our Business email plan is also great for business use. It features ample storage on our private cloud, plus collaboration tools and full mobile support.
Restrictions apply. Click here to see the details and purchase your $1.99 business package.
Are you one of the many who owns a .me.uk, .org.uk or .co.uk? Have you been waiting for .uk as a top-level domain? Here’s some exciting news: Today, June 10, Namecheap is beginning to offer .uk as a direct extension. We’re pleased to be one of the largest US registrars to offer .uk.
To strengthen our friendship with the UK business sector even more, we present a hosting deal to go along with your new .uk domain. If you register your .uk with Namecheap, you’re eligible to receive one year of our Value hosting plan (hosted from our UK datacenter) for only $1. Second-year renewals will be available at the regular rate.
All .uk domains and new UK hosting plans are backed by the same powerful Namecheap guarantee, service and support you’ve come to depend on.
At Namecheap, the freedom to be heard has always been very important to us. Helping our users to do, create and ultimately be heard online has been our mission for over 10 years. When our users register a domain for email, put up a website or blog, or open an online store to the world, they all have one thing in common: They want to express themselves and their ideas, publicly or privately. We believe in that core principle of expression, and we’re proud to help our users tell their stories online.
This is why we as a company are particularly concerned about the recent debate over Net Neutrality. We want to make sure that all of our users are aware of this issue, what it means and how it impacts not only them, but the entire Internet as it stands today.
What is Net Neutrality?
There are many great primers on the Internet about Net Neutrality, so we won’t reinvent the wheel. For a serious summary from the Guardian, try here: http://www.theguardian.com/technology/2014/may/14/net-neutrality-fcc-what-is-it. For a more lighthearted take, check out this recent video from John Oliver: https://www.youtube.com/watch?v=fpbOEoRrHyU
Quite simply, Net Neutrality is the concept that all data on the Internet, regardless of what kind it may be (text, voice, video) and the source of the data (Wikipedia, Skype, Youtube), should be treated equally. No one type of data should have priority over another, and hence no one party can determine the source or type of content you can access. Everything is open and free, sticking to the core principles that made the Internet possible in the first place.
This is the way the Internet has worked from Day One, quite well so far. Why change it now? The answer is simple but probably not surprising: Money!
Why do ISPs and others want to change this core principle?
Streaming services such as Netflix and Youtube are very bandwidth-intensive, which means they use a lot of Internet capacity. If the Internet works as intended and doesn’t discriminate between what type of data it transmits or the priority it gives any data, your Netflix video should theoretically be delivered at the same rate as any other Internet data, such as email or web browsing; there’s just more of it.
ISPs such as the usual suspects starting with C and V don’t like this very much. They built their networks to handle a certain amount of data per user based on past usage. Today’s high-bandwidth Internet usage pattern is forcing them to upgrade their infrastructure to handle a typical user, and this costs them a lot of money.
In response, ISPs want to change the law so they can charge Netflix and others for access to their networks, creating a ‘fast lane’ for companies who pay the toll.
Why is this so bad?
Good question. It might seem fair that, if their customer usage patterns are skewing toward Netflix and other such higher-bandwidth services, and ISPs are forced to upgrade their networks at a faster rate as a result, someone should pay for it. Netflix can afford to do so, but at what cost?
Consider that in the future, the next Netflix-killer will be forced to pay more to deliver the same quality of service. Ask yourself: Could Reed Hastings and company have started and grown Netflix from scratch into a giant with this additional burden? And more importantly, aren’t we supposed to be removing and not creating burdens for entrepreneurs?
The point is this: The Internet is built upon neutrality and interoperability. Without them, we risk censorship. If we legislate treating certain data on the Internet differently from other data, and allowing certain gatekeepers to make this determination, we’re sliding down a dangerous slope that ends at virtual censorship. You may be able to publish whatever you want, but you’re no longer guaranteed that everyone will be able to read, hear or view it as easily as any other content. That doesn’t sound like an equal and open Internet to us.
More broadly, perhaps instead of charging someone more and keeping profits high, telecoms should instead adjust capital expenditures to reflect the reality of customers using the Internet in 2014: As a high-bandwidth, always-on life utility. Legislating quality of access instead could change the current bizarre situation where telcos are racking up record profits while the USA is ranked 41st out of 192 countries for Internet speed… an interesting and frightening paradox for a nation that considers itself a technology and thought leader.
Making sure your voice is heard
Coming back full circle now, when our customers register their domain, create a website or storefront, post a video, or even send an email, they are expressing themselves and want to be heard. The services that power our voices and our messages must be able to access the Internet equally in order for their users to be heard.
A two-tier Internet would prevent the platform you choose from having an equal chance to compete, and we at Namecheap can’t stand to see that become the status quo.
To ensure all users continue to be heard equally, Namecheap is running an ongoing campaign for Net Neutrality and raising money for the Electronic Frontier Foundation and Fight for the Future. Click here to learn about our current Reset the Net effort and please help spread the word about this critical issue for all of us online.
– Richard Kirkendall, Namecheap CEO
Namecheap believes in every internet user’s right to privacy. That’s why we’re partnering with Fight for the Future on June 5th, in support of Reset the Net. Reset the Net is a day of action designed to end government surveillance online. The best way you can protect your customers’ privacy is with an SSL. That’s why we’ll be offering two great deals on site security: Use coupon code POSITIVERESET to get a one-year Comodo PositiveSSL certificate for $1.99 and/or coupon code RAPIDRESET to get a one-year GeoTrust RapidSSL cert for $4.99. Restrictions apply. For every SSL certificate sold as part of Reset the Net, we’ll donate $0.50 to Fight for the Future. When the number of SSLs sold tops 1000, we’ll double that donation amount. FftF is an organization dedicated to preserving the internet’s power to transform human lives for good. Learn more and sign their pledge at resetthenet.org.