Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Name.com Security Notice
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Name.com Security Notice

RobertClarkeRobertClarke Member, Host Rep
edited May 2013 in General

Just got this from Name.com: http://pastebin.com/xqeetsMP

«1

Comments

  • jarjar Patron Provider, Top Host, Veteran
    edited May 2013

    Just as well. I was using a crappy password. You know the one you just don't want to admit to anyone that you still sometimes use. Finally drops out of rotation today.
    (Of course I only used it for nonessential things, nothing in there is a big deal :P)

  • RobertClarkeRobertClarke Member, Host Rep

    Darn, changed my idea for the thread hence the delay, was clearly just a bit too late :(

  • i have account with them, and i dont receive the email =(

    but i have already changed my password.

  • Isn't this related to the Linode breach?

  • JacobJacob Member

    Namecheap woo!

  • MycroftMycroft Member

    It was known yesterday

  • Just a tip: Best not to click the link in emails in case it is phishing. Instead, go direct to https://www.name.com/account/login.php and change your password.

  • eric1212eric1212 Member
    edited May 2013

    @mpkossen said: Isn't this related to the Linode breach?

    To break into Linode, HTP broke into their domain name registar (name.com). They planned to secretly take control of linode.com, and replace it with a version of linode.com would look and feel and work correctly, but had one additional feature -- it would collect the login information that people typed in.

    https://news.ycombinator.com/item?id=5667027

  • danodano Member

    On a totally unrelated note, small world -- I went to name.com and my old boss is on the home page(guy with glasses).

  • yomeroyomero Member

    So, and even these guys didn't knew that they were f*d until yesterday!!??

  • @dano said: (guy with glasses).

    is Kim Dotcom !!!

  • DewlanceVPSDewlanceVPS Member, Patron Provider
    edited May 2013

    sihT si a ekaf liame
    ..

    ...

    .
    ..<< (This is a fake email)

  • jarjar Patron Provider, Top Host, Veteran

    @DewlanceVPS said: Fake email.

    Nope.

  • kbeeziekbeezie Member

    By the way any email that says "click this link to reset", is 99.99% bogus, most legitimate companies would never ask that due to the high risk if phishing scams involved in "click this", rather they instruct you to login (without a link provided) and reset [or there will be a dialog to reset if your account has been disabled temporarily].

    So yea this:

    Please click the link below to reset your password:

    Big red flag in my opinion.

  • @kbeezie said: Big red flag in my opinion.

    I agree. As I mentioned in a post a few hours ago.. Best just to go to their site. I see that they asked me to change my password once I tried to login.

  • Name.com is confirming on their Twitter that they did indeed send the email with a unique link.... very strange.

  • jarjar Patron Provider, Top Host, Veteran
    edited May 2013

    @eric1212 said: very strange

    Not really.

    @kbeezie said: Big red flag in my opinion.

    Probably scrambled to get this all done and didn't think much of it. They're a small operation. You can sit around talking about things all day to find the best way to get things done in a way that pleases the most people, or you can...get things done ;)

  • @jarland said: Not really.

    Jarland,

    Just seems to be a bit of a security risk.. as someone could falsely ID themselves as Name.com, send you a unique link, and then capture your password.
    A better idea may be saying "login and click Change Password", or force them to change their password next time they login (seems like they're doing this too which is a good thing).

    I just hope this doesn't backfire :) Nice to see they're at least TRYING to do something about this -- they're working a blog post about it as well.

    -Eric

  • SoylentSoylent Member

    Name.com's password change specifically won't let you use your previous password, so what are the phishers going to capture? The thing that's not your password yet? Lots of people still do password changes this way. It's not like best practices on this don't change once a week.

  • seikanseikan Member

    Huh.. changed my password as well...

  • kbeeziekbeezie Member

    @jarland said: Not really.

    Even the small ops have learned from the big boys drilling into their faces with the "Such and Such Company will never ask for your password or ask you to click on a link".

    If a small firm can't seem to grasp that kind of "diplomacy" for lack of a better term this late in the game, then they're basically setting themselves up for future problems and exploits (since I can guarantee you there's some phishers copying those emails as we speak, and since it's been done before, their customers won't think much of clicking on a link).

  • @Soylent said: Name.com's password change specifically won't let you use your previous password, so what are the phishers going to capture?

    Oh please! 99% of people will reuse their old name.com password! I kid you not. It happened with a breach in my country's TLD registry. They reset passwords and when you tried to log in it asked you to set a new password. Problem was that a lot of people just set the same old password they used before. Guess what happened next? Yeah they got hacked! So double fail for the registry but also shows you how ordinary people behave.

  • DomainBopDomainBop Member
    edited May 2013

    They're a small operation.

    They're owned by a very large NYSE traded public company. Demand Media bought them in January.

    If a small firm can't seem to grasp that kind of "diplomacy"

    Diplomacy isn't something you'd expect from a registrar that has a long history of such unsavory practices as domain tasting and DNS hijacking. :)

  • SoylentSoylent Member
    edited May 2013

    @Abdussamad said: Oh please! 99% of people will reuse their old name.com password! I kid you not. It happened with a breach in my country's TLD registry. They reset passwords and when you tried to log in it asked you to set a new password. Problem was that a lot of people just set the same old password they used before. Guess what happened next? Yeah they got hacked! So double fail for the registry but also shows you how ordinary people behave.

    @Soylent said: Name.com's password change specifically won't let you use your previous password

    You even quoted it, so I'm pretty sure you saw it.

  • TommehMTommehM Member

    @DewlanceVPS said: Fake email

    Nope, Chuck Testa.

  • AbdussamadAbdussamad Member
    edited May 2013

    @Soylent said: You even quoted it, so I'm pretty sure you saw it.

    My goodness you don't get it, do you?! How does the user know name.com won't accept the old passwords until he visits the page and actually tries it out? As I pointed out before the natural inclination of most users is to set the old password so that is the first one they are going to try. If the page they are visiting is a phishing page they have just gone and revealed their password!

    Yes in this instance it isn't a phishing page but by emailing a link to the password reset page name.com has paved the way for phishers to send such emails in future.

  • SoylentSoylent Member
    edited May 2013

    ...which won't work, because their account is locked. Which is the point of locking their account.

  • @Abdussamad said: Oh please! 99% of people will reuse their old name.com password!

    How hard would it be to use a service like Lastpass and use it to generate and store secure passwords?

  • @Soylent said: ...which won't work, because their account is locked. Which is the point of locking their account.

    I didn't know all accounts were locked. But it still opens up the possibility of using this method in future to trick users into revealing their passwords.

    @joelgm said: How hard would it be to use a service like Lastpass and use it to generate and store secure passwords?

    Ordinary people don't know anything about password security. They don't care in the least:

    http://xato.net/passwords/more-top-worst-passwords/

Sign In or Register to comment.