Afternic had a security issue

Afternic had a security issue on Thursday, February 12 when a security researcher contacted the company about a potential issue with a Web API.

Afternic claims that no password or credit card information was at risk.

It is well known to GoDaddy, Afternic, partner registrars and to many customers that the Afternic API is simply a mess that maybe works half of the time. It is a big security risk especially because of the domain name Fast-Transfer and But-It-Now (BIN) prices.

The fact that Afternic does not offer two-factor authentication (2FA) is another security risk.

Here is the email some Afternic users received today:

Dear xxx,

We want to make you aware of a security incident we recently identified.

On Thursday, February 12, a security researcher contacted us about a potential issue with a Web API. We immediately opened an investigation and found a misconfigured server accessible though the API. Using this API, the security researcher crafted a specific request that returned information from other customer accounts.

Through our audits, we identified this specific API call was run against a small segment of our customers’ accounts. Unfortunately, your information may have been viewed using this call, which includes your first name, last name, email address, physical address, telephone number, and your Afternic username. At no point was your password or credit card information at risk.

As soon as we identified the issue, we removed the server from rotation, securing our API infrastructure.

Please monitor for any suspicious communications that may come from third parties through the contact details that were on your Afternic account (e.g. email/telephone number).

We are very sorry this incident happened. Protecting the privacy of our customers is our top priority and we let you down in this instance. Our team is committed to preventing these types of incidents in the future and we’ll always be forthcoming in our communications with you.

If you have any questions, please email service@afternic.com.

Best regards,
The Afternic Team

Sold.Domains

About Konstantinos Zournas

Studied Computer Engineering and Computer Science in London, UK and now living in Athens, Greece. Love domains and building websites. Went online in 1995, learned about HTML in 1996 and about domains in 2002. Started publishing the OnlineDomain.com blog in 2012.

2 comments

  1. AFTERNIC IS A MESS . Yes sales happen everyday but they are not willing to change anything but continue in their backwardness. It took a lot of complaints for them to begin to “try ” with their lazy style of operating in the aftermarket.

    Lame infrastructures but lots of millions in commission. Whoever is in charge of operations should be fired as they have no new vision for how to improve.

    No 2FA in this present time when it is being implemented on most websites .

    Afternic is filled with bugs .Who is incharge of operations should come forward and explain their new game plan and if none,it’s time to resign and move on. Total mess .I would be closing my account there soon.

  2. I just deleted/removed all my domains!!

    Too bad Tsitsipas lost but at least he beats Nadel!!(his best game ever!! and great comeback ) He will come back strong.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.