I discovered a Sedo data breach - and they don't seem to care.

[WebInceptions]

Sedo has a nice feature on their My Portfolio screen that tells you how many domains have been removed from your account in the last 7 days. Since this includes sales at Sedo and those removed in the sync and manual processes, I generally don't pay much attention to it... but this week I took a look. On this list was a domain I've owned for quite a while, and one that I *KNOW* I did not sell or remove.

I emailed my account rep, and soon got this response:

I hope that you are well, thank you very much for reaching out to us. It appears that one of our enterprise partners has been including [domain name] in their account through their API lists, so we have reached out to them to prevent this from happening again. I apologize for the inconvenience and thank you for your communication, I wish you a great day.

HOLY CRAP! This is NOT an "inconvenience", this explanation means that some random person has API access that allows them to add/change/DELETE domains in OTHER peoples' accounts! And their response is NOT to commit to fixing the security hole, but to ASK THEM TO STOP MAKING CHANGES TO MY ACCOUNT!

I would think this was some sort of joke if I didn't see it myself. I have no idea how often this other person, presumably a competitor trying to kill my sales, has accessed my account, or whether they also have access to my bank account and personal info. Data breaches are required by law to be disclosed to affected customers, so I have asked to speak to a Sedo executive about this.

For now -- CHECK YOUR ACCOUNTS, especially any bank accounts that Sedo may have access to.

 

[anantj]

some random person has API access that allows them to add/change/DELETE domains in OTHER peoples' accounts

Uh, no that's not what the account rep stated (or at a minimum meant). What they did mean is that an enterprise user has API access to *THEIR* account and they added the said domain to *their* account. Now, their account also has privileges that automatically approves and lists domains added by them. Consequently, these domains are removed from other account(s) under the assumping that the previous account is a stale and obsolete listing. Such super users are present on Afternic as well (and based on your anecdote, on Sedo) and are a PITA and major inconvenience. But that said, they do not have access to your account, hopefully (from an outsider's perspective).

 

[WebInceptions]

Uh, no that's not what the account rep stated (or at a minimum meant). What they did mean is that an enterprise user has API access to *THEIR* account and they added the said domain to *their* account. Now, their account also has privileges that automatically approves and lists domains added by them. Consequently, these domains are removed from other account(s) under the assumping that the previous account is a stale and obsolete listing. Such super users are present on Afternic as well (and based on your anecdote, on Sedo) and are a PITA and major inconvenience. But that said, they do not have access to your account, hopefully (from an outsider's perspective).

YES - you just described what I said!

And as YOU spelled out, they have the ability (at a MINIMUM) to not only remove domains from my account, but to do so with no notification whatsoever -- which means they are hiding the wrongdoing, which is evidence that the fraud is intentional.

If I opened an account at your bank, and secretly transferred a chunk of money from your account to mine, I could go to prison -- that is a crime. This is not much different, and it doesn't make any difference what fancy title they put on the thief.

"they do not have access to your account" -- Yes, as I have proven, THEY DO!

 

[Haroon Basha]

I have more than 200 names in my Sedo and Afternic accounts. I never experienced such wrong deletion of domain names.Moreover, it is over exaggeration to say that Sedo has access to member's bank accounts.

 

[WebInceptions]

I have more than 200 names in my Sedo and Afternic accounts. I never experienced such wrong deletion of domain names.Moreover, it is over exaggeration to say that Sedo has access to member's bank accounts.

Then it must be a mystery to you how they put money into my bank account from parking every month, and each time they sell a domain.

 

[Haroon Basha]

Then it must be a mystery to you how they put money into my bank account from parking every month, and each time they sell a domain.

They do deposit parking revenue and sales proceed to your bank or Paypal account, but they cannot withdraw a single cent from your account unless you authorize them to do so.

 

[tonyk2000]

It is a common issue. A number of "evil" superusers do not know what they own, and they add stuff to both sedo and afternic without any verification from either platform. I personally aware of a few such users (based on their whois). They also have balls to re-add domains in circumstances described in this thread, once I saw this 5 times in a raw (my domain deleted - I re-added it - they added it again - gone from my account again - etc).
Moreover, I saw how they add domains that I owned for years - there was no drop or anything, it is mine, it was not on afternic/sedo (as I did not add them), but one day my domain may mystically appear for sale on one of the platforms. So, I periodically recheck all my portfolio against sedo/afternic databases including domains that are not listed by myself on these platforms.

 

[WebInceptions]

They do deposit parking revenue and sales proceed to your bank or Paypal account, but they cannot withdraw a single cent from your account unless you authorize them to do so.

You just posted that they do not have access to our banks, so they can't deposit money either -- according to YOU.

And if you don't think people can pull money from your account with the information given to to Sedo, post your banking details here and I will prove you wrong.

 

[kriss05]

So, if such "superuser" adds my domain to their, say, Sedo account and deletes it from mine, and sets Sedo MLS along with BIN and domain sells - then the domain will automatically leave my registrar's account, if I already approved MLS at my registrar, and superuser will get paid for it? Is it possible?

 

[Jurgen Wolf]

And if you don't think people can pull money from your account with the information given to to Sedo, post your banking details here and I will prove you wrong.

How???
For example, to send from my bank account - a randomly generated AUTH code must be entered.

 

[tonyk2000]

if I already approved MLS at my registrar, and superuser will get paid for it? Is it possible?

Assuming that instant transfer approval is linked to marketplace username (which should be the case, as common sense prompts) - this scenario is unlikely. However, I think there was a thread right here on NP last year where afternic customer complained exactly about this problem (the domain leaved his registrar account).

 

[Jurgen Wolf]

I never had such autoremovals at Sedo for 10 years...
WHOIS Privacy is disabled on all my domains... And I guess, that's why no issues.

 

[ultradog]

I'd never heard of these superusers, but it's disturbing. All the more reason to make sure the domains have public Whois, a secure email controlling them -- and that the bank account you allow Sedo access to (for sales, parking revenue) is a small account so if an ACH went the wrong way it wouldn't have a lot of impact.

 

[Jurgen Wolf]

Regarding their MLS...
As of today - 0 sales via this distribution for me...
GoDaddy is NOT covered by Sedo... so MLS is almost useless there.

 

[bulkdomainz]

This 'Super-user' thing explains why I have tried to add a domain name at Sedo several times without success. Sent screenshot from my control panel about 5 times but they still kept deleting it from my account. I found the name listed on Sedo to someone else. Made an offer to the guy in a bid to 'jog his memory' but no response. Complained to SEDO but no response. I gave up and listed the name in other places.

 

[bulkdomainz]

So, if such "superuser" adds my domain to their, say, Sedo account and deletes it from mine, and sets Sedo MLS along with BIN and domain sells - then the domain will automatically leave my registrar's account, if I already approved MLS at my registrar, and superuser will get paid for it? Is it possible?

Reason I don't do MLS or whatever temr othe marketplaces give to it. I tried it with one name at Afternic but always keeping an eye on it. Aside from all the scary Netsol stories, I am not very comfortable with giving others authority to move my name whenever they like. I prefer to initiate transfer myself upon sale!

 

[Jurgen Wolf]

"superusers" are usually Registrar accounts... which use Sedo as parking backend for the expired domains or as default lander...
Don't use any WHOIS Privacy and be happy!

 

[Jurgen Wolf]

There are also "superusers" (registrars) with Bodis or ParkingCrew backend...
And that's why very often the ownership review is necessary when adding domains...

 

[MapleDots]

Sedo has a nice feature on their My Portfolio screen that tells you how many domains have been removed from your account in the last 7 days. Since this includes sales at Sedo and those removed in the sync and manual processes, I generally don't pay much attention to it... but this week I took a look. On this list was a domain I've owned for quite a while, and one that I *KNOW* I did not sell or remove.

I emailed my account rep, and soon got this response:

I hope that you are well, thank you very much for reaching out to us. It appears that one of our enterprise partners has been including [domain name] in their account through their API lists, so we have reached out to them to prevent this from happening again. I apologize for the inconvenience and thank you for your communication, I wish you a great day.

HOLY CRAP! This is NOT an "inconvenience", this explanation means that some random person has API access that allows them to add/change/DELETE domains in OTHER peoples' accounts! And their response is NOT to commit to fixing the security hole, but to ASK THEM TO STOP MAKING CHANGES TO MY ACCOUNT!

I would think this was some sort of joke if I didn't see it myself. I have no idea how often this other person, presumably a competitor trying to kill my sales, has accessed my account, or whether they also have access to my bank account and personal info. Data breaches are required by law to be disclosed to affected customers, so I have asked to speak to a Sedo executive about this.

For now -- CHECK YOUR ACCOUNTS, especially any bank accounts that Sedo may have access to.

Really, what does it matter, it's not as if anyone can take control of your domains. It's just the sedo account and in the end as the domain owner you have all the control. Technically Sedo can do what they want but as the owner of the domain you have the ultimate say so I would not waste too much time on things you probably will not be able to change.

 

[frank-germany]

I have more than 200 names in my Sedo and Afternic accounts. I never experienced such wrong deletion of domain names.Moreover, it is over exaggeration to say that Sedo has access to member's bank accounts.

good for you

but that doesn't help

 

[Michael Ehrhardt]

Thx

I found a breach at Sedo as well and I got 100 domains for free at Showcase Listing

 

[anantj]

YES - you just described what I said!

And as YOU spelled out, they have the ability (at a MINIMUM) to not only remove domains from my account, but to do so with no notification whatsoever -- which means they are hiding the wrongdoing, which is evidence that the fraud is intentional.

If I opened an account at your bank, and secretly transferred a chunk of money from your account to mine, I could go to prison -- that is a crime. This is not much different, and it doesn't make any difference what fancy title they put on the thief.

"they do not have access to your account" -- Yes, as I have proven, THEY DO!

lol. Good luck with your conspiracy theories and belief. I don't disagree that this issue is a pain and should be fixed some way. But a data breach this is not! I'm not going to bother arguing with you as you obviously don't understand the issue fully.

Ps. Afternic has this exact same problem (documented in the Afternic mega thread and other threads). So they also have a data breach and allow others to access your account. Hope you're domains are safe there!

 

[anantj]

So, if such "superuser" adds my domain to their, say, Sedo account and deletes it from mine, and sets Sedo MLS along with BIN and domain sells - then the domain will automatically leave my registrar's account, if I already approved MLS at my registrar, and superuser will get paid for it? Is it possible?

Should not be. A re-listing should trigger a fresh approval for MLS listing. Without the approval on the relisting, the domain should not be a part of the MLS network and should not be FT enabled

 

[anantj]

Assuming that instant transfer approval is linked to marketplace username (which should be the case, as common sense prompts) - this scenario is unlikely. However, I think there was a thread right here on NP last year where afternic customer complained exactly about this problem (the domain leaved his registrar account).

I think the poster there later confirmed that they had approved the FT/DLS listing e-mail

 

[anantj]

and that the bank account you allow Sedo access to (for sales, parking revenue) is a small account so if an ACH went the wrong way it wouldn't have a lot of impact.

ugh, Sedo does not have access to your bank account. They have information about your bank account that is sufficient and useful only for depositing funds in to the said bank account. They can never "remove" funds from bank accounts by themselves.