- Impact
- 427
Sedo has a nice feature on their My Portfolio screen that tells you how many domains have been removed from your account in the last 7 days. Since this includes sales at Sedo and those removed in the sync and manual processes, I generally don't pay much attention to it... but this week I took a look. On this list was a domain I've owned for quite a while, and one that I *KNOW* I did not sell or remove.
I emailed my account rep, and soon got this response:
I hope that you are well, thank you very much for reaching out to us. It appears that one of our enterprise partners has been including [domain name] in their account through their API lists, so we have reached out to them to prevent this from happening again. I apologize for the inconvenience and thank you for your communication, I wish you a great day.
HOLY CRAP! This is NOT an "inconvenience", this explanation means that some random person has API access that allows them to add/change/DELETE domains in OTHER peoples' accounts! And their response is NOT to commit to fixing the security hole, but to ASK THEM TO STOP MAKING CHANGES TO MY ACCOUNT!
I would think this was some sort of joke if I didn't see it myself. I have no idea how often this other person, presumably a competitor trying to kill my sales, has accessed my account, or whether they also have access to my bank account and personal info. Data breaches are required by law to be disclosed to affected customers, so I have asked to speak to a Sedo executive about this.
For now -- CHECK YOUR ACCOUNTS, especially any bank accounts that Sedo may have access to.
I emailed my account rep, and soon got this response:
I hope that you are well, thank you very much for reaching out to us. It appears that one of our enterprise partners has been including [domain name] in their account through their API lists, so we have reached out to them to prevent this from happening again. I apologize for the inconvenience and thank you for your communication, I wish you a great day.
HOLY CRAP! This is NOT an "inconvenience", this explanation means that some random person has API access that allows them to add/change/DELETE domains in OTHER peoples' accounts! And their response is NOT to commit to fixing the security hole, but to ASK THEM TO STOP MAKING CHANGES TO MY ACCOUNT!
I would think this was some sort of joke if I didn't see it myself. I have no idea how often this other person, presumably a competitor trying to kill my sales, has accessed my account, or whether they also have access to my bank account and personal info. Data breaches are required by law to be disclosed to affected customers, so I have asked to speak to a Sedo executive about this.
For now -- CHECK YOUR ACCOUNTS, especially any bank accounts that Sedo may have access to.