Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.

SEDO security warning letter

Status
Not open for further replies.
Dynadot - Expired Domain Auctions
S

SedoCoUk

Guest
Hi all,

The email was sent out to SedoPro members, but if you use multiple parking companies then it is important:

We have been informed that due to a security problem at one of our competitors a list of their customer data including plaintext passwords is currently circulating on the web including relevant hacker forums.

Our Security and Compliance Team has found several of our own customers matching the publicly available list. Due to the seriousness of this matter combined with the possibility that you might be using the same login data/password at more than one parking company, we strongly suggest you to change your password at Sedo.

Sedo uses cryptographically unbreakable ciphertext for password checks and does not store your password in plaintext. This, and a variety of other security measures, ensures that your Sedo account is always safe from third parties.

We generally recommend to always use different login IDs for different sites and never hand out login IDs to any third party.

Should you have any further questions or needs, your dedicated account manager is looking forward to help.

Kind regards,
Your Sedo Security & Compliance Team


With regards to some of the points made above... I think out of professional courtesy it is correct to not call out a particular organization. However, as we have clients who use multiple parking companies, it is our responsibility to advise people that it may be wise to update their password.

Best,

Tom
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,306
Reaction score
2,216
Tom, I think that it's more offending to call another PPC company a "competitor" than to name it directly, thus assisting in users taking direct steps in changing their passwords. I understand that even sending out that email is a step in the right direction, however I had to visit DNForum in order to find out which PPC company's data was leaked.
 

jdomains

Level 3
Legacy Platinum Member
Joined
Aug 24, 2006
Messages
50
Reaction score
0
This is why I have a different password for every single site that I login into lol
 

draggar

þórr mjǫlnir
Legacy Exclusive Member
Joined
Dec 26, 2007
Messages
7,357
Reaction score
223
I just got this form NameDrive:

Hello,

This is a mail to inform you that a minimal number of NameDrive accounts
were the targets of a security breach recently.
This affected less than 1% of our database.

While we do not believe that your account has been affected and we have
no indication of unauthorized access, we are informing you as a
precaution that you should change your login passwords to any other
online programs for which you use the same password as you do to log
into NameDrive.com.

Your NameDrive password has already been changed automatically for you.

If you haven't already done so, you can retrieve your new password by
logging into your account on the NameDrive homepage.

While we have always had strict security measures in place, we have
taken yet further measures to enhance our security measures with
immediate effect.

If you have any questions, please feel free to contact us at
[email protected].

Your NameDrive team
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,306
Reaction score
2,216
Yeah I got it too about an hour ago.
 

Sonny Banks

<span style="font-weight: bold;"><span style="font
Legacy Exclusive Member
Joined
Jul 18, 2008
Messages
3,940
Reaction score
0
Acro it's time you write an article on your blog about this scandalous fact.
 

nts

DNF Addict
Legacy Exclusive Member
Joined
Jul 5, 2005
Messages
796
Reaction score
1
a list of their customer data including plaintext passwords

Plaintext passwords, really? I find it very disturbing that any site, let alone namedrive, would take the risk of storing passwords without hashing them...
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,306
Reaction score
2,216
There is no indication the plaintext passwords were stored as such with ND or if they were bruteforced. Hashed passwords are more secure in the sense that they require reversal but they are not uncrackable. The hackers apparently compromised a ND server that contained customer data and perused it for their benefit. Anyone knows where the data was posted at?
 

katherine

Country hopper
Legacy Exclusive Member
Joined
Jul 9, 2005
Messages
8,427
Reaction score
1,290
Plaintext passwords, really? I find it very disturbing that any site, let alone namedrive, would take the risk of storing passwords without hashing them...
I know of a few registrars, including one that puts great emphasis on security, that don't see anything wrong with storing passwords in plain text (cough cough).
 
Last edited:

dvdrip

Level 9
Legacy Exclusive Member
Joined
Jul 21, 2002
Messages
2,782
Reaction score
24
I know of a few registrars, including one that puts great emphasis on security, that don't see anything wrong with storing passwords in plain text (cough cough).

Which one? Please PM if you don't want to say.
 

Focus

Making Everything Click
Legacy Exclusive Member
Joined
May 15, 2005
Messages
8,934
Reaction score
244
these companies are totally frickin wreckless with our important & sensitive data, geez
 

katherine

Country hopper
Legacy Exclusive Member
Joined
Jul 9, 2005
Messages
8,427
Reaction score
1,290
It's easy to find out.
Try the password reminder feature of your registrar.
If your password is on file it can be mailed to you. If it's encrypted using a hash (one-way) algorithm than you have to choose another one.
Hashing doesn't really help if your password is weak - it can be reverse-engineered easily - but it helps mitigate the risk in case of data breach.
 

katherine

Country hopper
Legacy Exclusive Member
Joined
Jul 9, 2005
Messages
8,427
Reaction score
1,290
Today I requested my new Namedrive password and I notice something funny.
The new password actually reads like this:

{my previous password}_1137884883

I though to myself, this password is not random and the number looks like a Unix timestamp.
So let's run it in mySQL:
Code:
SELECT FROM_UNIXTIME( 1137884883 )

=> 2006-01-22 01:08:03
I believe this is my registration date !

So I think Namedrive just ran a quick & dirty SQL query instead of using a random sequence.
Let me reverse-engineer the SQL that was used:
Code:
UPDATE members SET user_password = concat( user_password, '_', UNIX_TIMESTAMP( reg_date ) )
:cheeky:

BTW I'm not keeping that default password, thank you.
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,306
Reaction score
2,216
NameDrive, please fire that programmer. There are plenty of alternatives in the market today.
 

katherine

Country hopper
Legacy Exclusive Member
Joined
Jul 9, 2005
Messages
8,427
Reaction score
1,290
So it means that if the hackers have got these two fields from the database:
  • old_password (in plain text)
  • reg. date time
they already have the new passwords. They just have to derive them.

BTW nobody from Namedrive has posted here yet ;)
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,306
Reaction score
2,216
I hope the NameDrive database programmmer is working extra time this weekend to save his ass. This is extremely bad programming practices and when I ripped Sedo in the past for something similar they fixed it in 24 hours quite well.
 

katherine

Country hopper
Legacy Exclusive Member
Joined
Jul 9, 2005
Messages
8,427
Reaction score
1,290
Now that I changed my password, I asked for a reminder.
I got my password mailed to me so they are still stored in plain text.
When will people ever learn ?
 
Status
Not open for further replies.

Who has viewed this thread (Total: 1) View details

Who has watched this thread (Total: 8) View details

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Sedo - it.com Premiums

IT.com

Premium Members

MariaBuy

Upcoming events

New Threads

Our Mods' Businesses

UrlPick.com

*the exceptional businesses of our esteemed moderators

Top Bottom