Over the weekend, Namecheap discovered that username and password data gathered from third-party sites was being used to try and gain access to customer accounts.
According to Namecheap VP Hosted Services Matt Russell, the data is likely connected to the data identified by The Register in a report at the beginning of August on where the Russian hackers who stole more than a billion passwords got the information.
On Sunday night, Namecheap’s intrusion detection system alerted the company to a much higher load than normal. Hackers are using the usernames and passwords to simulate a web browser login through fake browser software.
Though Namecheap says the “vast majority” of these login attempts have been unsuccessful since much of the data is outdated or incorrect, there are still some login attempts that have been successful. Namecheap has temporarily secured the Namecheap accounts that have been affected and is contacting customers who own those sites. The affected customers will have to verify their identity and then receive new login credentials.
Russell is encouraging Namecheap customers to enable two-factor authentication when they regain access to their Namecheap account. Two-factor authentication has been enabled at other web hosting companies as users look for ways to add an extra layer of security to their hosting and email accounts.
“I must reiterate this is not a security breach at Namecheap, nor a hack against us. The hackers are using usernames and passwords being used have been obtained from other sources,” Russell says in the blog post describing the hack. “These have not been obtained from Namecheap. But these usernames and passwords that the hackers now have are being used to try and login to Namecheap accounts.”
“Our early investigation shows that those users who use the same password for their Namecheap account that are used on other websites are the ones who are vulnerable…This attack serves as a timely reminder that as netizens, we constantly face new and evolving security threats. There are groups out there whose sole intent is to steal our identity, gain access to our bank or credit card information or defraud us. And this is a problem that isn’t going to disappear any time soon.”
Namecheap is making a list of the bad IPs available to anyone who wants it, including service providers. Those interested in obtaining the list can email firstname.lastname@example.org.