Cybercrime , Fraud Management & Cybercrime , Governance

Trio of Web Registrars Disclose 22 Million Accounts Breached

Account Information Exposed for Web.com, Network Solutions and Register.com
Trio of Web Registrars Disclose 22 Million Accounts Breached
Photo: PGA Tour

A trio of well-known domain name registrars are mandating a password reset after revealing a breach affecting about 22 million accounts that occurred in late August.

See Also: Live Webinar | Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level

Web.com and two of its brands, Network Solutions and Register.com, published identical breach notices, noting "that a third party gained unauthorized access to a limited number of our computer systems." The incident was discovered on Oct. 16.

"Upon discovery of this unauthorized access, the company immediately began working with an independent cybersecurity firm to conduct a comprehensive investigation to determine the scope of the incident, including the specific data impacted," according to the notices. "We have also reported the intrusion to federal authorities and are notifying affected customers."

No Credit Cards Exposed

The exposed account data, which encompasses current and former accounts, includes names, addresses, phone numbers, email addresses and services held by the account owner. The three registrars say they're notifying victims by email.

"We encrypt credit card numbers, and no credit card data was compromised as a result of this incident," the notices say.

"Upon discovery of this unauthorized access, the company immediately began working with an independent cybersecurity firm to conduct a comprehensive investigation to determine the scope of the incident, including the specific data impacted."
—Web.com

Some accounts were created within Europe. "We are in the process of making the filings with the appropriate authorities, including those required under the GDPR [General Data Protection Regulation]," Web.com says in a statement provided to Information Security Media Group.

Risks of Domain Takeovers

Web hosting and domain name services are attractive targets for attackers. Web.com maintains, however, that the breach hasn't resulted in tampering with their clients' Domain Name System, or DNS, settings. But the kind of information breached could give attackers enough contact information to try to social engineer victims into divulging account credentials.

DNS hijacking attacks are particularly dangerous. Domain name registrars usually offer control panels where domain-name registrants can alter their hosting settings, including mapping a domain name to a different IP address.

With account credentials in hand, an attacker could map a victim's domain name to a new IP address, setting up a look-a-like website that would appear to be legitimate. It also may be possible to reroute an organization's email, posing risks of sensitive data disclosure.

In January, FireEye described new DNS hijacking campaigns. The attackers are believed to "have a nexus to Iran," FireEye wrote.

The attacks involved changing the DNS "A" record, which links a domain name to an IP address. Another variant involved changing nameserver records, which point to the authoritative record for a particular domain.

"A large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates," FireEye writes. "They include telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities."

FireEye recommends that organizations use two-step verification for access to domain admin portals as well as validating DNS A record or nameserver changes. Also, organizations can search for and revoke fraudulent TLS certificates that may have been set up.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.