Name.com hacking incident: only full disclosure keeps customers

The popular registrar Name.com was hacked last week and send an email to all customers so they could reset their passwords. Hackers aimed at one of name.com’s large commercial clients caused the registrar to send emails with a link to change the login password. I wrote about this in the post: the Name.com password reset email is REAL: time to change your name.com password.

What is rare about the incident is that that name.com gave full disclosure to all their customers and gave updates through their support, name.com blog and social media like  twitter and facebook.

Name.com posted an article on their blog called “We got hacked“. Very few companies have the guts to admit something like that and that at least shows the integrity of Name.com. I am sure that most registrars (and I have a big one in mind) would have denied and hacking incidents. Here is how Name.com handled it:

Many of you received our email or saw online that name.com was hacked. The truth is that it’s one of the more painful admissions that can be made on the Internet. We want you to know that when we say that we “give a shit” we truly mean it. In an effort to maintain the open, honest, and transparent reputation we’ve built for ourselves, we’re going to give you the lowdown on what happened and what we did in response.

Our security team alerted us that unauthorized individuals had accessed our database. After doing some digging we found that the attack seemed to be geared toward a few specific accounts. The hackers had a target and name.com was a means to that end.

The information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords and encrypted credit card data. EPP codes (required for domain name transfers) are not stored in the same place so those were not compromised. For the techies who are wondering, the encryption on the credit card information is 4096 bit RSA. Since the password hashes were compromised we took proactive steps and initiated a site-wide password reset (hence the email, apologies for the inconvenience).

We are genuinely sorry for the annoyance and the scare. We’re taking this incredibly seriously and are doing everything possible to continue to improve the security of our systems. We greatly appreciate the support across the web and over the phones.

Visit the blog post for the comments and the immediate response from Name.com. There is a person claiming that his account was hacked and his domain were stolen but we should wait and see how this turns out.

I have only used Name.com for drop catching and started using it in late 2012. I am now thinking that I should give Name.com a shot as one of my main registrars. I haven’t even checked their renewal prices but their support so far seems excellent. Only full disclosure will keep customers from leaving and maybe get a few new ones! Well done Name.com.

Sold.Domains

About Konstantinos Zournas

Konstantinos studied Computer Engineering and Computer Science in London and lives in Athens, Greece. He works on domain names, websites and software development. Has been online since 1995 & domaining since 2002.

4 comments

  1. I have used Name.com for hand registering .im domains and .cc domains backordering. Before this hacking attempt I have moved out all my domains. But still went ahead and changed the password just to be on safe side 🙂

  2. Yep, And Moniker did the exact opposite – Deny deny deny. and the other 2 companies just didn’t put anything out. So who had the best strategy ?

  3. Exceptionally well played from their part. Honesty all the way. I also like the fact that Name.com sends you an email if there have been an unsuccessful login attempt (found out when typoed my password.)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.