Security incident at Bodis

Bodis wrote on its blog about a security incident that happened last week:

Security Incident

Our team has detected suspicious activity on the Bodis.com site that began on or about Tues 07/12 @ 16:00 UTC and lasted through the early hours of Wed 07/13.

Summary of the Event

Our team has observed an attempt to gain access to user accounts on the Bodis system using an automated login script. The intruder has attempted to gain access to various accounts using predefined email addresses and password combinations, of which the overwhelming majority failed to work. Most users have received a Failed Login email notification as a result of these failed login attempts.

However, it seems that the intruder was able to access several accounts. In the instances where the intruder was able to access accounts, we opted to disable account access several hours later and notified those users to reset their password, check their payout settings, as well as any other personal information.

Our Response

Currently, our team does not believe our network has been compromised and we are quite confident that the attacker has gained a list of email addresses and passwords from an external database not associated with Bodis; potentially from a breach elsewhere within the domain industry. It should be noted that the attacker has also attempted to login using email addresses that do not even exist on our system. Our passwords are hashed with a strong hashing algorithm, and have always been since Bodis’ inception. Bodis has never stored passwords in plain text.

We have always and will always take security seriously. We are taking the following steps to protect you:

  • We’ve added a CAPTCHA to the login page to slow down any scripted login/attack attempts.
  • We’re moving to dual authentication as a requirement for all accounts. By default, all accounts will be required to confirm their login via email if the device or IP is not trusted. We expect this to be live in the immediate future.
  • Bodis already supports 2FA optionally. We highly recommend you enable 2FA on your account if you have not done so already.

We also highly recommend you use a password that is long, complex, and not re-used on any other sites.

For any questions or concerns, please contact our support team at support@bodis.com

Sold.Domains

About Konstantinos Zournas

Studied Computer Engineering and Computer Science in London, UK and now living in Athens, Greece. Love domains and building websites. Went online in 1995, learned about HTML in 1996 and about domains in 2002. Started publishing the OnlineDomain.com blog in 2012.

One comment

  1. Excellent response by Bodis and their Executives

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.