How To Check If Any Of Your Domains Have Been Stolen From Moniker

monikerYesterday Moniker send emails to all its users with new passwords and asked them to change the passwords immediately. It was later reported that this was done after a massive hacking that resulted in many valuable domain names being stolen from various Moniker accounts.

First of all I must say that I can’t believe that no one at Moniker noticed that a single IP logged into thousands of accounts. Is there anyone over at Moniker? This is a major flag that went unnoticed. This went on for 2 weeks that gave the thieves plenty of time to transfer out any domains the wanted.

Of course if you own a very small number of domains you can check whois and then check if the domain is in your Moniker account. But if you have thousands of domains it is not that easy.

First of all you should change the password for the master account and all the sub accounts you have at Moniker. The new passwords you got from Moniker were sent by email that is an insecure channel and could have been stolen by anyone.

Then you should lock all the domains you currently have at Moniker as an added precaution.

Here is a simple guide to see if you have been affected by this massive theft. I have always said that everybody should keep an offline list of all their domains. I have them saved by registrar. I did saved my domain list before Moniker changed to the new control panel and system and that helped me recover all the domains that were moved to other registrars without any notice.

In this case I got the current list of my domains at Moniker and compared it to the list I had before the hacking incident. I checked to see if any of the original domains are missing.

I then ran a bulk whois search using Watch My Domains Pro and checked to see if any of my domains have been transferred to a new registrar and if they have different whois details. I did this because some domains may have been transferred away to a different registrar but may still appear in the Moniker control panel.

You should also check if any domain has a “pending transfer” status. Moniker does not offer a way to immediately release a domain that is pending transfer to a new registrar and that could be a good thing now. That is because you have 5 days to stop the transfer. (Some registrar have started displaying a “pending transfer” status even on .com and .net domains. This has been the default for other TLDs such as .info, .org, .us, .biz and others for more than 10 years now. Not sure if Moniker is one of those registrars.)

If you don’t have a list of the domains you had at Moniker you should check for any strange activity on your account.

First of all you should check the IP log that is in your account in the “User Profile” options:

moniker-hack1

 

 

 

 

 

 

 

 

You should look for successful or even unsuccessful login atempts into your account from IPs that you are not using. I found 2 successful logins from a UK IP address on the 21st and the 23rd of September:

moniker-hack2

You should then check the Job Status function to see if any suspicious changes have been made to your account:

moniker-hack3

 

 

 

 

 

 

I didn’t find anything suspicious and no jobs were performed at the dates of the successful logins. But I don’t have many domains left at Moniker and only a handful and worth stealing.

If you find any domains stolen please report them here or at Domain Gang.

I have been transferring domains out since the new control panel and system was introduced and created this whole mess.

At around the hacking incident FMA transferred thousands of domain names away from Moniker to Uniregistry and that was probably one of the best moves ever!

So let’s not forget. Start transferring out your domains!

Sold.Domains

About Konstantinos Zournas

Konstantinos studied Computer Engineering and Computer Science in London and lives in Athens, Greece. He loves domains and building websites. He is online since 1995, learned about html in 1996 and got into domains in 2002. He started the OnlineDomain.com blog in 2012.

36 comments

  1. It is amazing to me that Moniker.com does not send an email notification to either account holder on a push. No notification at all via email. Pushes are not even logged in my account history, really?

  2. Exactly, the legacy site send them – the “new and improved” site does not… Unbelievable!

  3. Looks like they were looking for 2L 3L and short one word .com’s.

    My account was access with the IP, and I have spent all morning moving my domains over to uniregistry. Someone needs to start a class action suit against these jokers, I have wasted so many hours with their support this year, they were simply to cocky, and nobody had a clue how to run this company. STAY AWAY

    • Thank god I don’t have any of those domains at Moniker!

      I too have spend too much time searching for my domains after this whole yearly Moniker mess…

    • Looking at my ip log there is an ip located in Lebanon that logged in several times back in July…nothing missing that I can see though. I had already moved my most valuable domains by then.

  4. At All Jobs look for “push” or “transfer” words.

  5. Nuno – as mentioned their “wonderful” system does not log pushes in the job logs or in an email notification.

  6. Hello James, regarding pushes the information I wrote was given by Moniker. I cannot confirm as I haven’t done any, only transfers and those were logged there.
    Have you done pushes that weren’t logged? Those would be bad news.

  7. Email notifications for any change need to be mandatory.

  8. Yes, I have done multiple pushes and nothing is logged or emailed – someone could push every domain out of your account and you would have not notification or log records!

  9. I emailed them, again.

  10. wow, i assumed there was a reason for the password changes but had no idea it was this bad. i’m glad i moved my most valuable domains out of there as soon as i could after the control panel change. i wish i would have moved them all but with so many there, its hard to afford to move them all at once plus regular renewals, purchases elsewhere.

  11. I tried it myself today. I pushed a domain from my main account to another account I am not using.
    I didn’t get any emails about the push and the push was not logged in the jobs section.

  12. I mentioned the push problem to them right after they switched over to the new platform. They did nothing about it. It is beyond me how you can move a domain from one account to another and have no log record and no email notification. This is incompetency at its best! Moniker went from being the most secure registrar in the domain space to the weakest.

  13. another thing to note is to look under the ‘manage account users’ link. there my old customer number and user name is listed with different passwords. i made this inactive because you can’t seem to delete them.

    • These old user names were included in the insecure email they send.
      All these had new passwords assigned.

    • They cannot seem to use consistent terminology either … the email I received referred to “sub-accounts”:

      “Please find below passwords for the sub accounts that we found in your settings:”

      But, try to find “sub-accounts” anywhere when logged into your Moniker account and you’ll come up empty handed! Eventually you’ll stumble upon them in your ‘manage account users’ section … so why not label them as such in the email? [Who writes these things? Does anybody proof read the emails before they are sent?]

      Regardless … my main point/question ➜ Is there any reason to keep these additional “account users”? Especially as Moniker assigns you a new “account number” and (temporary) password in the email … so, any reason to keep these secondary “account users”? [Unless of course you have staff who you allow to log into your account on your behalf…]

      To be honest, I was surprised (and had NO idea) I had 2 additional “account users”. After a little investigating, I believe one of them I had to create in order to log in to the old “Moniker Help” site (as you could NOT use your main Moniker credentials; but rather had to create a new username and password). My 2nd “account user” I have no idea where it came from.

      I initially was going to delete them; but them decided I had better just “inactivate” them in case they were still needed for something?!? [However, even if I had clicked the red ‘X” to try to delete them, if JZ’s experience is any indication, in all likelihood the delete command would have failed…]

      Anybody know if we need these old secondary “account users”?

      Steve

      • Yes, nothing makes sense with Moniker. One of the problems is that they used their German software and copy pasted it onto a complete different (and English) system. Not much attention was given to the previous system settings. So you can understand how much attention was given to have a proper and consistent English translation.

        My 2 sub accounts are my old account number and my old username.
        They created a new account number after the system change and made the old ones sub-accounts.
        It this the same with you?

      • One was my username, and the other was a number (so, likely it was my old account number) … so YES, I believe my 2 “sub-accounts” are of the same ‘type’ as yours.

        Hmmm … Moniker sends an email to everyone with a NEW account number & password (which you now must use to log-in). So, what is/was the point to create/keep our old “sub-accounts” and assigned them new passwords? What is their purpose now (except to confuse…)??

        Or am I missing something?

        Steve

      • I guess they tried to keep the old usernames alive so after the system change people could login ok.
        I guess we don’t need them anymore but you should probably ask them. Not that you are going to get a reply… 🙂

  14. There are users (look at Moniker´s facebook page) who cannot access their control panel since the attack took place. The passwords that Moniker sent are not working when the people try to login. And when they try to change the password, the application doesn´t work. So, these people cannot transfer their domains to other registrars..
    Do you know by the way any solution to this problem?

    • Sorry but no. Moniker is going worse by the day if that is even possible any more.

    • Actually I did find the problem. Apparently the account was locked due to an email address change which happened in June but no ‘click to authorise’ was received. So changing the password to an unauthorised account, caused the account to be locked.

      I rang support, waited on hold for about 15 minutes, questioned why they did not answer their support tickets and they said they were doing their best to get around to all of them, and my account was unlocked after I was able to identify myself on the phone to them.

      I don’t think Moniker’s support is any worse or better, excepting that the experience of having this size of problems means better contingency plans need to be put in place. It’s hard to scale up to this size of support.

      I’m considering moving away from Moniker, not because of this, but their interface has changed, handling domains is confusing, and I believe since being sold or whatever they did last year, the company is not the same. That’s why I’m going to transfer my domains out. I don’t have many, under 100, so not a big deal.

      Just thinking that if I were Moniker, I’d be reviewing about how they handle themselves in public. It could have been handled better, but the support team when on the phone, was really exceptional.

  15. eerq.com my domain also has been stolen from moniker.com

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.