I discovered a Sedo data breach - and they don't seem to care.

[WebInceptions]

Sedo has a nice feature on their My Portfolio screen that tells you how many domains have been removed from your account in the last 7 days. Since this includes sales at Sedo and those removed in the sync and manual processes, I generally don't pay much attention to it... but this week I took a look. On this list was a domain I've owned for quite a while, and one that I *KNOW* I did not sell or remove.

I emailed my account rep, and soon got this response:

I hope that you are well, thank you very much for reaching out to us. It appears that one of our enterprise partners has been including [domain name] in their account through their API lists, so we have reached out to them to prevent this from happening again. I apologize for the inconvenience and thank you for your communication, I wish you a great day.

HOLY CRAP! This is NOT an "inconvenience", this explanation means that some random person has API access that allows them to add/change/DELETE domains in OTHER peoples' accounts! And their response is NOT to commit to fixing the security hole, but to ASK THEM TO STOP MAKING CHANGES TO MY ACCOUNT!

I would think this was some sort of joke if I didn't see it myself. I have no idea how often this other person, presumably a competitor trying to kill my sales, has accessed my account, or whether they also have access to my bank account and personal info. Data breaches are required by law to be disclosed to affected customers, so I have asked to speak to a Sedo executive about this.

For now -- CHECK YOUR ACCOUNTS, especially any bank accounts that Sedo may have access to.

 

[WebInceptions]

ugh, Sedo does not have access to your bank account. They have information about your bank account that is sufficient and useful only for depositing funds in to the said bank account. They can never "remove" funds from bank accounts by themselves.

Utterly false. You clearly have not read your ACH agreement.

 

[WebInceptions]

lol. Good luck with your conspiracy theories and belief. I don't disagree that this issue is a pain and should be fixed some way. But a data breach this is not! I'm not going to bother arguing with you as you obviously don't understand the issue fully.

Ps. Afternic has this exact same problem (documented in the Afternic mega thread and other threads). So they also have a data breach and allow others to access your account. Hope you're domains are safe there!

Sedo today confirmed what happened - this is indeed a data breach. Glad to hear that you won't continue posting false information about this.

 

[anantj]

Utterly false. You clearly have not read your ACH agreement.

Please quote what's in your agreement. My agreement has nothing to that effect. So it's utterly true

 

[Brandworthy]

Where's the "data breach"?

Very misleading thread title which you should probably edit to something more appropriate.

 

[Rich]

From wiki
Definition: "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so."[1]Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data – files, documents, and sensitive information."
While it may be a poor choice of words, I think blocking a sale of a name is essentially stealing money?

 

[MasterOfMyDomains]

Thanks for pointing this out.
I always add names to numerous places including sedo
I also use namesilo domain link manager and check often the numbers match.
People are always looking for flaws to abuse systems. Scum lol

 

[anantj]

While it may be a poor choice of words, I think blocking a sale of a name is essentially stealing money?

Blocking a listing. What makes you say that it was a sale or that the name would even sell?

 

[Rich]

Blocking a listing. What makes you say that it was a sale or that the name would even sell?

I guess we'll never know, beside the point. I guess you wouldn't mind if I applied for an API and delisted your names for a quick experiment?

I understand everyone wants to cater to their biggest repeat customers, but don't let it effect your mission as a company.

 

[anantj]

I guess we'll never know, beside the point. I guess you wouldn't mind if I applied for an API and delisted your names for a quick experiment?

Nope... Go ahead... Btw, please go and read my original message. I did not say this is a good thing or that I support it. Nor was it my point. You can try to twist my words but I know what I stated and it is fairly obvious in my original message as well.

 

[anantj]

*deleted*

 

[anantj]

Utterly false. You clearly have not read your ACH agreement.

Still waiting for you to quote your ach agreement!

 

[kriss05]

I asked Sedo about that and was told that there are no "super users"/third parties being able to modify other user listings and that only Sedo employees can do that.

 

[tldboss]

I don't think it's a data breach.

Some sellers have thousands of domains & they do bulk submissions, its possible to submit names no longer owned by mistake, this is not unique to Sedo, same happens on Afternic. I think invalid listings will always be there, maybe more so after the 25th as a result of GDPR.

Yes, you probably found a bug which Sedo may decide to fix or not, where a API user with unique Partnerid is able to remove/affect names in another user's portfolio. I think this is wrong.

However, we do not know how Sedo database is structured, for example in their DB they might have domain list table, user list table, payments table etc, so just because a user has access to domain list table, does not mean they have access to payments table etc. Suggest you report it as a bug & they can investigate further.

If you don't mind sharing, what's the name?