New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Name.com Security Notice
RobertClarke
Member, Host Rep
Just got this from Name.com: http://pastebin.com/xqeetsMP
Comments
Just as well. I was using a crappy password. You know the one you just don't want to admit to anyone that you still sometimes use. Finally drops out of rotation today.
(Of course I only used it for nonessential things, nothing in there is a big deal :P)
Ooops, it seems i came 3 minutes later: http://www.lowendtalk.com/discussion/10318/hackers-break-in-to-prominent-domain-registrars-moniker-melbourne-it-name.com-and-xinnet#Item_1
Darn, changed my idea for the thread hence the delay, was clearly just a bit too late
i have account with them, and i dont receive the email =(
but i have already changed my password.
Isn't this related to the Linode breach?
Namecheap woo!
It was known yesterday
Just a tip: Best not to click the link in emails in case it is phishing. Instead, go direct to https://www.name.com/account/login.php and change your password.
https://news.ycombinator.com/item?id=5667027
On a totally unrelated note, small world -- I went to name.com and my old boss is on the home page(guy with glasses).
So, and even these guys didn't knew that they were f*d until yesterday!!??
is Kim Dotcom !!!
sihT si a ekaf liame
..
...
.
..<< (This is a fake email)
Nope.
By the way any email that says "click this link to reset", is 99.99% bogus, most legitimate companies would never ask that due to the high risk if phishing scams involved in "click this", rather they instruct you to login (without a link provided) and reset [or there will be a dialog to reset if your account has been disabled temporarily].
So yea this:
Big red flag in my opinion.
I agree. As I mentioned in a post a few hours ago.. Best just to go to their site. I see that they asked me to change my password once I tried to login.
Name.com is confirming on their Twitter that they did indeed send the email with a unique link.... very strange.
Not really.
Probably scrambled to get this all done and didn't think much of it. They're a small operation. You can sit around talking about things all day to find the best way to get things done in a way that pleases the most people, or you can...get things done
Jarland,
Just seems to be a bit of a security risk.. as someone could falsely ID themselves as Name.com, send you a unique link, and then capture your password.
A better idea may be saying "login and click Change Password", or force them to change their password next time they login (seems like they're doing this too which is a good thing).
I just hope this doesn't backfire Nice to see they're at least TRYING to do something about this -- they're working a blog post about it as well.
-Eric
Name.com's password change specifically won't let you use your previous password, so what are the phishers going to capture? The thing that's not your password yet? Lots of people still do password changes this way. It's not like best practices on this don't change once a week.
Huh.. changed my password as well...
Even the small ops have learned from the big boys drilling into their faces with the "Such and Such Company will never ask for your password or ask you to click on a link".
If a small firm can't seem to grasp that kind of "diplomacy" for lack of a better term this late in the game, then they're basically setting themselves up for future problems and exploits (since I can guarantee you there's some phishers copying those emails as we speak, and since it's been done before, their customers won't think much of clicking on a link).
Oh please! 99% of people will reuse their old name.com password! I kid you not. It happened with a breach in my country's TLD registry. They reset passwords and when you tried to log in it asked you to set a new password. Problem was that a lot of people just set the same old password they used before. Guess what happened next? Yeah they got hacked! So double fail for the registry but also shows you how ordinary people behave.
They're owned by a very large NYSE traded public company. Demand Media bought them in January.
Diplomacy isn't something you'd expect from a registrar that has a long history of such unsavory practices as domain tasting and DNS hijacking.
You even quoted it, so I'm pretty sure you saw it.
Nope, Chuck Testa.
My goodness you don't get it, do you?! How does the user know name.com won't accept the old passwords until he visits the page and actually tries it out? As I pointed out before the natural inclination of most users is to set the old password so that is the first one they are going to try. If the page they are visiting is a phishing page they have just gone and revealed their password!
Yes in this instance it isn't a phishing page but by emailing a link to the password reset page name.com has paved the way for phishers to send such emails in future.
...which won't work, because their account is locked. Which is the point of locking their account.
How hard would it be to use a service like Lastpass and use it to generate and store secure passwords?
I didn't know all accounts were locked. But it still opens up the possibility of using this method in future to trick users into revealing their passwords.
Ordinary people don't know anything about password security. They don't care in the least:
http://xato.net/passwords/more-top-worst-passwords/