Domain name registrars Web.com, NetworkSolutions.com, and Register.com were at the receiving end of a data breach in August this year that compromised customer account information such as names, addresses, phone numbers, and email addresses.
The cyber security incident was disclosed by Web.com on its website recently, with the domain name registrar stating that its systems were accessed without authorisation by third parties in August this year, resulting in the loss of personal information of current and former Web.com customers.
“On October 16, 2019, Web.com determined that a third-party gained unauthorised access to a limited number of our computer systems in late August 2019, and as a result, account information may have been accessed. No credit card data was compromised as a result of this incident,” the company said.
“Our investigation indicates that account information for current and former Web.com customers may have been accessed. This information includes contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder. We encrypt credit card numbers and no credit card data was compromised as a result of this incident.
“Upon discovery, Web.com took immediate steps to stop the intrusion. We promptly engaged a leading independent cybersecurity firm to investigate and determine the scope of the incident. We notified the proper authorities and began working with federal law enforcement.
“We are notifying affected customers through email and via our website, and as an additional precaution are requiring all users to reset their account passwords,” the registrar added.
It also mentioned that it does not believe users’ account passwords were compromised as all account passwords are encrypted. Howeber, as a precaution, all users are presently being asked to reset their account passwords to secure their respective accounts.
Domain name registrars took over two months to identify the breach
The data breach affected three top domain name registrars, namely Web.com and its subsidiaries NetworkSolutions.com and Register.com, indicating that customer account information of all three domain name registrars was stored in a single internal system that had been accessed by hackers.
Web.com did not mention the total number of data records compromised due to the security incident nor did it mention the total number of customers affected. All affected customers are presently being notified separately about the breach through email and via the registrar’s website.
“It is not clear why it has taken over two months for this breach to be disclosed and this raises a number of concerns about the security practices employed by the organisations. Any organisation that takes over two months to identify a breach has significant flaws within their security program and risks putting their customer data at serious risk,” says Robert Ramsden-Board, VP of EMEA at Securonix.
“The attacker who gained access these systems had unlimited access to customer data for over two months, providing them with endless opportunities. Anyone who has been affected by the breach is advised to change their passwords urgently,” he adds.
Prash Somaiya, technical program manager at HackerOne, said that data breaches such as the one impacting top domain name registrars drive home the point that every company should have a formal process to accept vulnerability reports from external third parties. A Vulnerability Disclosure Policy or Security@ email is the best way to ensure that when someone sees something exposed, they can say something.
This isn’t the first time that hackers have targeted domain name registrars to gain access to customer information or to target customers of such services. In 2017, hackers were able to infiltrate French domain name registrar Gandi’s network after stealing login credentials from a technical provider.
The hackers went on to make unauthorised modifications to 751 domains, as a result of which visitors to such domains were redirected to the Keitaro traffic distribution system. Instead of redirecting them to Google, Keitaro TDS redirected visitors to a Rig Exploit Kit where they got infected by a malware named Neutrino Bot.
Prompt action by security teams at Gandi ensured that all the affected domains were reverted to the legitimate name servers within three hours after the initial infection took place.