Yesterday Moniker send emails to all its users with new passwords and asked them to change the passwords immediately. It was later reported that this was done after a massive hacking that resulted in many valuable domain names being stolen from various Moniker accounts.
First of all I must say that I can’t believe that no one at Moniker noticed that a single IP logged into thousands of accounts. Is there anyone over at Moniker? This is a major flag that went unnoticed. This went on for 2 weeks that gave the thieves plenty of time to transfer out any domains the wanted.
Of course if you own a very small number of domains you can check whois and then check if the domain is in your Moniker account. But if you have thousands of domains it is not that easy.
First of all you should change the password for the master account and all the sub accounts you have at Moniker. The new passwords you got from Moniker were sent by email that is an insecure channel and could have been stolen by anyone.
Then you should lock all the domains you currently have at Moniker as an added precaution.
Here is a simple guide to see if you have been affected by this massive theft. I have always said that everybody should keep an offline list of all their domains. I have them saved by registrar. I did saved my domain list before Moniker changed to the new control panel and system and that helped me recover all the domains that were moved to other registrars without any notice.
In this case I got the current list of my domains at Moniker and compared it to the list I had before the hacking incident. I checked to see if any of the original domains are missing.
I then ran a bulk whois search using Watch My Domains Pro and checked to see if any of my domains have been transferred to a new registrar and if they have different whois details. I did this because some domains may have been transferred away to a different registrar but may still appear in the Moniker control panel.
You should also check if any domain has a “pending transfer” status. Moniker does not offer a way to immediately release a domain that is pending transfer to a new registrar and that could be a good thing now. That is because you have 5 days to stop the transfer. (Some registrar have started displaying a “pending transfer” status even on .com and .net domains. This has been the default for other TLDs such as .info, .org, .us, .biz and others for more than 10 years now. Not sure if Moniker is one of those registrars.)
If you don’t have a list of the domains you had at Moniker you should check for any strange activity on your account.
First of all you should check the IP log that is in your account in the “User Profile” options:
You should look for successful or even unsuccessful login atempts into your account from IPs that you are not using. I found 2 successful logins from a UK IP address on the 21st and the 23rd of September:
You should then check the Job Status function to see if any suspicious changes have been made to your account:
I didn’t find anything suspicious and no jobs were performed at the dates of the successful logins. But I don’t have many domains left at Moniker and only a handful and worth stealing.
If you find any domains stolen please report them here or at Domain Gang.
I have been transferring domains out since the new control panel and system was introduced and created this whole mess.
At around the hacking incident FMA transferred thousands of domain names away from Moniker to Uniregistry and that was probably one of the best moves ever!
So let’s not forget. Start transferring out your domains!