Name.com hacking incident: only full disclosure keeps customers

The popular registrar Name.com was hacked last week and send an email to all customers so they could reset their passwords. Hackers aimed at one of name.com’s large commercial clients caused the registrar to send emails with a link to change the login password. I wrote about this in the post: the Name.com password reset email is REAL: time to change your name.com password.

What is rare about the incident is that that name.com gave full disclosure to all their customers and gave updates through their support, name.com blog and social media like  twitter and facebook.

Name.com posted an article on their blog called “We got hacked“. Very few companies have the guts to admit something like that and that at least shows the integrity of Name.com. I am sure that most registrars (and I have a big one in mind) would have denied and hacking incidents. Here is how Name.com handled it:

Many of you received our email or saw online that name.com was hacked. The truth is that it’s one of the more painful admissions that can be made on the Internet. We want you to know that when we say that we “give a shit” we truly mean it. In an effort to maintain the open, honest, and transparent reputation we’ve built for ourselves, we’re going to give you the lowdown on what happened and what we did in response.

Our security team alerted us that unauthorized individuals had accessed our database. After doing some digging we found that the attack seemed to be geared toward a few specific accounts. The hackers had a target and name.com was a means to that end.

The information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords and encrypted credit card data. EPP codes (required for domain name transfers) are not stored in the same place so those were not compromised. For the techies who are wondering, the encryption on the credit card information is 4096 bit RSA. Since the password hashes were compromised we took proactive steps and initiated a site-wide password reset (hence the email, apologies for the inconvenience).

We are genuinely sorry for the annoyance and the scare. We’re taking this incredibly seriously and are doing everything possible to continue to improve the security of our systems. We greatly appreciate the support across the web and over the phones.

Visit the blog post for the comments and the immediate response from Name.com. There is a person claiming that his account was hacked and his domain were stolen but we should wait and see how this turns out.

I have only used Name.com for drop catching and started using it in late 2012. I am now thinking that I should give Name.com a shot as one of my main registrars. I haven’t even checked their renewal prices but their support so far seems excellent. Only full disclosure will keep customers from leaving and maybe get a few new ones! Well done Name.com.