Labeled as security in Domain Industry News, started by Mister Funsky, Feb 22, 2021
It feels like Afternic is held together with threads, scrap metal, and glue.
Is it justified that they don't allow us to remove our payout information/bank information from our account ? What is the solution for that now ?
Thank you for sharing your discovery and it is good to hear they took care of it quickly...no telling how far things might have gone had it remained.
I don't think bank details were affected, they seem to be using a third party to collect the details.
I entered my bank details many times and already received a payout. However, on the dashboard, I continue to be prompted to provide my payment details.
Ditto Pokémon ....
received the same email
I don't think I did, and if I did, I probably deleted it among the mass of spam including fAsT TraNSfER OpT-In emails because their software is that of a broken microwave.
I have now removed all my domains from Afternic.
What exactly did he say?
Maybe they sold some users' data, and now inventing an excuse.
Still no email. So unfair.
Me too didn't get the email. Seems they sent the email only to the impacted customers.
I got the same email, since this hack happened i received many spams too. My spammers are quoting the domain names i listed on Afternic and offering me some bumps, marketing tools... I’m glad for the junk folder.
Yes I read that article and wondered "What is the YubiKey doing there?"
When there's a bug/hole in the Godaddy API, this won't protect you.
With the data that was accessible it's possible to send targeted phishing mails to try to obtain users' passwords. In that case two factor auth would help.
Fast transfer should be linked to a certain price, imo. If the price is changed, you should have to opt-in again at the registrar.
In general, I agree that 2FA is one of the best ways to protect your accounts, no question about that. My point is that you can't do much when the underlying system has these bugs as mentioned in this thread. Advanced registry locks are also preferred, but not all registrars are offering these services.
We've also seen Godaddy personnel acting as an attack vector. Customers having 2FA won't help there either. It's good that Godaddy is doing phishing tests on a regular basis, but still too many employees clicked the email and gave their credentials. Christmas was maybe not the best time to do the phishing test.
With regard to Afternic as a standalone service, I really think this is the year it has to be fully integrated with Godaddy, as it has become unmanageable.
Thanks for thinking about security, @suitedbrand - I really appreciate it.
I agree and think it would be great if they unite everything in one platform using the Uniregistry UI, now that they own it.
The breach made it possible to change prices?
No, it didn't, but it would be great to have that as a general security measure.
I've got the email as well - received it into my spam folder - lol
Why @Joe Styler can’t we remove old payout info? On Afternic or on godaddy
when will they at least add 2FA it’s utter madness, a company of this size is so slow to protect its customers.
We are paying them 20% commissions on sales! It’s time we stopped being quiet...and get them to start acting like a company that cares for its customers.
This days I am getting many spams to my emails and related especially to domain names and my preferences. This explain everything... noting that I didn't recieved that email !
Actually I think notifying its customers 10 days after the hack is pretty quick and very good. I got the email. These days every site that is worth anything gets hacked on the net. Security will get better as the companies building it improve over time. It's today's world folks.
There have been quite a few accounts recently that seem like new throwaway accounts with no history, no picture and a generic name. I have my name, picture and everyone knows how to contact me on various social media channels or via email and some even text.
I don't mind answering any questions or helping anyone I can. My years here have shown that but I am a bit suspicious about the various new accounts popping up in the last week or two with generic info.
On removing old payees we cannot always remove them for various reasons such as regulatory concerns. There are a few variables to go into.
Separate names with a comma.