Welcome to September. It’s a new month and this yields another security and hacking incident.
Back in August, The Register reported that the largest ever quotient of email addresses, usernames and passwords had been put together by groups of Russian hackers. You can read their full report on this here.
These hackers collected this data over many months, gaining access to these user credentials through vulnerable/poorly secured databases and backdoors/malware installed on insecure computers around the world.
Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. Upon investigation, we determined that the username and password data gathered from third party sites, likely the data identified by The Register (i.e. not Namecheap) is being used to try and gain access to Namecheap.com accounts.
The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts.
The vast majority of these login attempts have been unsuccessful as the data is incorrect or old and passwords have been changed. As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement.
While the vast majority of these logins are unsuccessful, some have been successful. To combat this, we’ve temporarily secured the Namecheap accounts that have been affected and are currently contacting customers involved requesting they improve the security for these accounts.
If you receive an email alert from us stating that your account has temporarily been secured, don’t worry. We’ve proactively taken this step as a security measure to help defend you against this attack. We will need you to verify your identity to us and we will then issue you with new login credentials, including a new, stronger password.
Once verified, you will regain access to your Namecheap account. Now is a very good time to enable 2 factor authentication. You can get help doing this from this knowledgebase article – https://www.namecheap.com/support/knowledgebase/article.aspx/9253/45/how-to-two-factor-authentication.
I must reiterate this is not a security breach at Namecheap, nor a hack against us. The hackers are using usernames and passwords being used have been obtained from other sources. These have not been obtained from Namecheap. But these usernames and passwords that the hackers now have are being used to try and login to Namecheap accounts.
Our early investigation shows that those users who use the same password for their Namecheap account that are used on other websites are the ones who are vulnerable.
If you haven’t been affected by this but you know that you use the same username and password on multiple websites including Namecheap, now is a very good time to go in and update your password to something more secure.
This attack serves as a timely reminder that as netizens, we constantly face new and evolving security threats. There are groups out there whose sole intent is to steal our identity, gain access to our bank or credit card information or defraud us. And this is a problem that isn’t going to disappear any time soon.
As a netizen, you can make all of your internet presence more secure, including your Namecheap account, by practicing a number of simple yet effective precautions:
- Choose strong, hard to guess passwords. Don’t go for a dictionary word and include numbers and symbols. If it’s hard to remember, use a secure password manager such as LastPass.
- Do not use the same username/password for multiple websites. We believe that the small number of accounts that were accessed due to them sharing the username/password with other, third party sites.
- Change passwords frequently (at least once per month). While this is an inconvenience, it is much less of an inconvenience than someone stealing your account, your identity or your credit card information.
- Enable 2 factor authentication wherever possible. Your Namecheap.com account supports 2FA, as do most other service provider accounts.
- Practice good local security. Scan your PC/Mac regularly for malware. This malware often sits quietly in the background, waiting for you to login to a website then capturing these credentials and sending them back off to hacker home base.
- Use encrypted, SSL connections for all of your websites. SSL certificates are inexpensive and make obtaining that username/password hash much, much harder to obtain.
- When you’re in Starbucks on an unsecured, open wifi hotspot, don’t login to anything unless its via a https:// connection. Ideally, use a VPN to further tighten up security when on an open hotspot.
At Namecheap, we remain committed to practicing good security while also being open about the threats that we face. All passwords we store are encrypted, using the highest security encryption methods. We run a multitude of firewalls and intrusion detection systems and constantly review our defense mechanisms.
We’ve chosen to go public with today’s incident to try and generate greater public awareness of the security issues that stem from areas outside of our control. Good security is a joint effort between service provider (us) and customer (you). Following the recommendations I made above is a very good start to practising better security.
We hope this serves as a both warning and heads up to other service providers and anyone that guards customer data that you too may be at risk from this mass of compromised account data. Now is a good time to challenge customers to update their credentials or enable two factor authentication. And the time is now for us to work together in defeating these security breaches. To back this up, we’re willing to share a list of the “bad IPs” – the IP addresses that we believe the perpetrators are using to try and gain access to accounts with us, and elsewhere. We will be releasing these at our discretion. Please contact [email protected] if you’d like to request this list.
IMPORTANT: If you are a customer that has questions about this issue, please contact our support team through the usual channel.