news NameCheap Security Breach

[silentg]

This was posted on September 1:

Helpdesk tickets security update​

We recently received reports of a potential security attack vector coming through our helpdesk system, which we use to manage customer support tickets. We immediately investigated the situation, and while we discovered a very small possibility of breaches occurring, we found no evidence that any breaches had taken place.
We are now taking all necessary steps to close this gap in our security, including disabling the login and registration of accounts in our helpdesk.
Please be aware that this security gap was only exploitable if your Namecheap Customer Account or Helpdesk Account passwords were not secure and were used on other resources, through which it could have been exposed and leaked online.

https://www.namecheap.com/blog/potential-gap-in-our-helpdesk-security/


NameCheap CEO's challenge to hackers back in August 28, 2022:

https://twitter.com/x/status/1564041532470358016

YCombinator Post from August 29:
https://news.ycombinator.com/item?id=32638028

 

[TCK]

Thanks for the update. Security has its limits. If you don't keep your login credentials secure then you can be open to risk. It doesn't sound like the platform was hacked but breached credentials were used to access accounts. Correct me if I am wrong.

 

[Lox]

testing for $10k ... bad idea

 

[TCK]

testing for $10k ... bad idea

Reading the OP embedded posts the challenge was to make changes to a domain via helpdesk. The problem was that the credentials for the helpdesk were the same as for the domain control panel. So you couldn't make changes via helpdesk but you could use the same credentials to login to the domain control panel and make changes there.

 

[Lox]

Reading the OP embedded posts the challenge was to make changes to a domain via helpdesk. The problem was that the credentials for the helpdesk were the same as for the domain control panel. So you couldn't make changes via helpdesk but you could use the same credentials to login to the domain control panel and make changes there.

If needed, they need the right kind of penetration testing conducted by an experienced cybersecurity firm/s. But publicly asking for more than the system-structure can handle - bad idea.

Regards

 

[TCK]

If needed, they need the right kind of penetration testing conducted by an experienced cybersecurity firm/s. But publicly asking for more than the system-structure can handle - bad idea.

Regards

Not being able to see the problem with using the same credentials for the control panel as for the helpdesk is surprising. Overconfidence along with lack of imagination. I have seen companies send out challenges similar to this but naturally they would make sure their security wall is first cleared by a qualified firm. Should be an easy fix though, just force everyone to create new credentials for the helpdesk and change their passwords for the control panel. Another one is phone confirmation.

 

[Lox]

... just force everyone to create new credentials for the helpdesk and change their passwords for the control panel. Another one is phone confirmation.

& that can lead to negative reputation. Restructuring "beliefs" (insecurity) and "assumptions" (sense) are the hardest thing to change & is costly.

Regards

 

[Broth Investing]

If needed, they need the right kind of penetration testing conducted by an experienced cybersecurity firm/s. But publicly asking for more than the system-structure can handle - bad idea.

Regards

I love testing penetration