Yesterday Acro.net and his other site DomainGang.com posted two important articles related to a breach at Moniker.com . I wanted to write yesterday but I was pretty busy with other stuff, plus behind the scenes I was working with an effected domain owner on the phone and digging information on the potential domain thefts. This is very important, so you need to be aware!! If you have a Moniker.com account, you really need to pay attention and take some actions!
From what I can tell, it is very likely that ALL, yes ALL Moniker.com accounts were breached (hacked). I have hard dates starting on September 20, 2014 (it is likely that it started a couple days prior based on data I have seen, maybe the 15th) and lasted for several days going past September 23.
It appears that all accounts were accessed via an IP location of: 188.8.131.52
Two of my Moniker accounts were accessed (logged into) via that IP address. One on September 20 and the other on September 23. Based on the “account numbers”, the lower account number was accessed first on the 20th, the higher account number on the 23rd. This tells me they started with the lowest account numbers sometime around the 20th (likely even earlier) and run scripts to access accounts, copy domain data within each account and I’m sure grab more data.
Moniker.com did mention in an email in the morning of October 6, 2014 that looked like spam (and included account numbers and new passwords for account users) that they detected brute force attacks, but failed to mention the TRUTH! These attacks were successful!
Domain Names Have Been Stolen
I am aware of at least 8 domains that have been stolen. Most I can not make public right now due to one of the owners wishing to keep his domains private currently but I can say, 3 letter .com domains were the main focus of theft from Moniker. The one word generic domain Busy.com was also involved and very likely many more. I am still working on this part.
I am currently aware of three domain name registrars that stolen domain names were transferred out to:
- CSL COMPUTER SERVICE LANGENBACH GMBH D/B/A JOKER.COM
Important email addresses (all other whois information, basically doesn’t matter, the email addresses are the most important)
Stolen Domains At GoDaddy
As a result of the breach at Moniker.com and information obtained (mainly email address), OTHER domains at other domain registrars have been effected. I am aware of 4 domains stolen at GoDaddy that took place on October 3, 2014. There is a connection, as the same email address was used between the two accounts (Moniker/GoDaddy). Different passwords were used with the two registrars, but the same email address was linked. The hackers likely gained access to the email address (was a free service email provider). With that data, password resets can be done etc and gaining access to other accounts can take place.
What You Need To Do
First of all, change all passwords associated with your Moniker account if you have one, even if you have one with no domains in it! If you have connected email addresses between different registrars, you also need to take action. If there is potential that a hacker has access to your email service (check IP logs if you can) it doesn’t do much good to change passwords, if they can just set them again!
The main email address on your registrar accounts needs to be changed if the above is the case! I know this is a pain in the butt and will likely lock your domains for 60 days from being transferred, but if your domains are stolen, what else really matters!
Turn ON two factor authentication when you can. Again, pain in the butt, but the safest.
I am going to work on an article later today, with what is the best way to protect your domains. I already have the data from a private discussion, I just need to put it together to share with you. What process one needs to take for what email addresses to use etc. but right now, the IF factor is a big player that also needs to be considered. If somebody has access to your main email address account, no matter what you change your password to… they can just reset it and catch the emails etc! So email security is number one with what you set at your registrar!
Clearly buying domain names right now is risky. With several being stolen, these domains likely will be hitting the market for some quick cash. What out for 3 letter, 4 number and one word generic .com domains that seem way to cheap that are listed for sale.
Hopefully Moniker, GoDaddy, Register.com, Joker.com and any others effected work closely with those effected by the recent domain thefts and some good can come out of this (more secure domain accounts / domains).