Trio of Web Registrars Disclose 22 Million Accounts BreachedAccount Information Exposed for Web.com, Network Solutions and Register.com
A trio of well-known domain name registrars are mandating a password reset after revealing a breach affecting about 22 million accounts that occurred in late August.
Web.com and two of its brands, Network Solutions and Register.com, published identical breach notices, noting "that a third party gained unauthorized access to a limited number of our computer systems." The incident was discovered on Oct. 16.
"Upon discovery of this unauthorized access, the company immediately began working with an independent cybersecurity firm to conduct a comprehensive investigation to determine the scope of the incident, including the specific data impacted," according to the notices. "We have also reported the intrusion to federal authorities and are notifying affected customers."
No Credit Cards Exposed
The exposed account data, which encompasses current and former accounts, includes names, addresses, phone numbers, email addresses and services held by the account owner. The three registrars say they're notifying victims by email.
"We encrypt credit card numbers, and no credit card data was compromised as a result of this incident," the notices say.
"Upon discovery of this unauthorized access, the company immediately began working with an independent cybersecurity firm to conduct a comprehensive investigation to determine the scope of the incident, including the specific data impacted."
Some accounts were created within Europe. "We are in the process of making the filings with the appropriate authorities, including those required under the GDPR [General Data Protection Regulation]," Web.com says in a statement provided to Information Security Media Group.
Risks of Domain Takeovers
Web hosting and domain name services are attractive targets for attackers. Web.com maintains, however, that the breach hasn't resulted in tampering with their clients' Domain Name System, or DNS, settings. But the kind of information breached could give attackers enough contact information to try to social engineer victims into divulging account credentials.
DNS hijacking attacks are particularly dangerous. Domain name registrars usually offer control panels where domain-name registrants can alter their hosting settings, including mapping a domain name to a different IP address.
With account credentials in hand, an attacker could map a victim's domain name to a new IP address, setting up a look-a-like website that would appear to be legitimate. It also may be possible to reroute an organization's email, posing risks of sensitive data disclosure.
In January, FireEye described new DNS hijacking campaigns. The attackers are believed to "have a nexus to Iran," FireEye wrote.
The attacks involved changing the DNS "A" record, which links a domain name to an IP address. Another variant involved changing nameserver records, which point to the authoritative record for a particular domain.
"A large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates," FireEye writes. "They include telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities."
FireEye recommends that organizations use two-step verification for access to domain admin portals as well as validating DNS A record or nameserver changes. Also, organizations can search for and revoke fraudulent TLS certificates that may have been set up.