security Afternic just notified me of a breach

[Mister Funsky]

So, did anyone else get this notice?

Dear xxxxxxxxxxx ,

We want to make you aware of a security incident we recently identified.

On Thursday, February 12, a security researcher contacted us about a potential issue with a Web API. We immediately opened an investigation and found a misconfigured server accessible though the API. Using this API, the security researcher crafted a specific request that returned information from other customer accounts.

Through our audits, we identified this specific API call was run against a small segment of our customers’ accounts. Unfortunately, your information may have been viewed using this call, which includes your first name, last name, email address, physical address, telephone number, and your Afternic username. At no point was your password or credit card information at risk.

As soon as we identified the issue, we removed the server from rotation, securing our API infrastructure.

Please monitor for any suspicious communications that may come from third parties through the contact details that were on your Afternic account (e.g. email/telephone number).

We are very sorry this incident happened. Protecting the privacy of our customers is our top priority and we let you down in this instance. Our team is committed to preventing these types of incidents in the future and we’ll always be forthcoming in our communications with you.

If you have any questions, please email [email protected].

Best regards,
The Afternic Team

 

[Peak.Domains]

It feels like Afternic is held together with threads, scrap metal, and glue.

 

[MHExplorer]

Is it justified that they don't allow us to remove our payout information/bank information from our account ? What is the solution for that now ?

 

[Mister Funsky]

I reported the issue and after @Paul Nicks read my message it was fixed pretty quickly.

Thank you for sharing your discovery and it is good to hear they took care of it quickly...no telling how far things might have gone had it remained.

 

[suitedbrand]

What about the bank details (payout details). All gone.

I don't think bank details were affected, they seem to be using a third party to collect the details.

I entered my bank details many times and already received a payout. However, on the dashboard, I continue to be prompted to provide my payment details.

 

[Alop]

Ditto.

Ditto Pokémon ....

 

[Reallybigidea.com]

received the same email

 

[King]

I don't think I did, and if I did, I probably deleted it among the mass of spam including fAsT TraNSfER OpT-In emails because their software is that of a broken microwave.

I have now removed all my domains from Afternic.

 

[topdom]

@Joe Styler was serious when he said "there is a lot going on at Afternic"... Shaking my head...

What exactly did he say?

 

[topdom]

Maybe they sold some users' data, and now inventing an excuse.

 

[The Durfer]

Not yet received the email about the breach. When did you all receive the email?

Yesterday.

 

[Future Sensors]

Yesterday.

Still no email. So unfair.

 

[Mytz.com]

no reyly

 

[dumindu89]

Me too didn't get the email. Seems they sent the email only to the impacted customers.

https://domainnamewire.com/2021/02/22/godaddys-afternic-had-security-hole/

 

[MustaAras]

I just got the email as well. Maybe that's why I'm receiving more spam calls and emails than usual??

I got the same email, since this hack happened i received many spams too. My spammers are quoting the domain names i listed on Afternic and offering me some bumps, marketing tools... I’m glad for the junk folder.

 

[Future Sensors]

Me too didn't get the email. Seems they sent the email only to the impacted customers.

https://domainnamewire.com/2021/02/22/godaddys-afternic-had-security-hole/

Yes I read that article and wondered "What is the YubiKey doing there?"

When there's a bug/hole in the Godaddy API, this won't protect you.

 

[suitedbrand]

With the data that was accessible it's possible to send targeted phishing mails to try to obtain users' passwords. In that case two factor auth would help.

Fast transfer should be linked to a certain price, imo. If the price is changed, you should have to opt-in again at the registrar.

 

[Future Sensors]

With the data that was accessible it's possible to send targeted phishing mails to try to obtain users' passwords. In that case two factor auth would help.

Fast transfer should be linked to a certain price, imo. If the price is changed, you should have to opt-in again at the registrar.

In general, I agree that 2FA is one of the best ways to protect your accounts, no question about that. My point is that you can't do much when the underlying system has these bugs as mentioned in this thread. Advanced registry locks are also preferred, but not all registrars are offering these services.

We've also seen Godaddy personnel acting as an attack vector. Customers having 2FA won't help there either. It's good that Godaddy is doing phishing tests on a regular basis, but still too many employees clicked the email and gave their credentials. Christmas was maybe not the best time to do the phishing test.

https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/

https://krebsonsecurity.com/2020/11...-attacks-on-multiple-cryptocurrency-services/

With regard to Afternic as a standalone service, I really think this is the year it has to be fully integrated with Godaddy, as it has become unmanageable.

Thanks for thinking about security, @suitedbrand - I really appreciate it.

 

[suitedbrand]

I agree and think it would be great if they unite everything in one platform using the Uniregistry UI, now that they own it.

 

[domaineed]

If the price is changed, you should have to opt-in again

The breach made it possible to change prices?

 

[suitedbrand]

The breach made it possible to change prices?

No, it didn't, but it would be great to have that as a general security measure.

 

[1Darko]

I've got the email as well - received it into my spam folder - lol

 

[dnx]

Is it justified that they don't allow us to remove our payout information/bank information from our account ? What is the solution for that now ?

+1
Why @Joe Styler can’t we remove old payout info? On Afternic or on godaddy


when will they at least add 2FA it’s utter madness, a company of this size is so slow to protect its customers.

We are paying them 20% commissions on sales! It’s time we stopped being quiet...and get them to start acting like a company that cares for its customers.

 

[TheBuyerz]

This days I am getting many spams to my emails and related especially to domain names and my preferences. This explain everything... noting that I didn't recieved that email !

 

[likemike]

Actually I think notifying its customers 10 days after the hack is pretty quick and very good. I got the email. These days every site that is worth anything gets hacked on the net. Security will get better as the companies building it improve over time. It's today's world folks.

 

[Joe Styler]

+1
Why @Joe Styler can’t we remove old payout info? On Afternic or on godaddy


when will they at least add 2FA it’s utter madness, a company of this size is so slow to protect its customers.

We are paying them 20% commissions on sales! It’s time we stopped being quiet...and get them to start acting like a company that cares for its customers.

There have been quite a few accounts recently that seem like new throwaway accounts with no history, no picture and a generic name. I have my name, picture and everyone knows how to contact me on various social media channels or via email and some even text.

I don't mind answering any questions or helping anyone I can. My years here have shown that but I am a bit suspicious about the various new accounts popping up in the last week or two with generic info.

On removing old payees we cannot always remove them for various reasons such as regulatory concerns. There are a few variables to go into.