Namecheap Hacks Tied to CyberVor?
Domain-Hosting Provider Reports Unauthorized Log-InsDomain-hosting provider Namecheap says recent unauthorized log-ins to customer accounts likely stemmed from the CyberVor incident, where Russian hackers pilfered more than 1.2 billion credentials (see: CyberVor Update: Hold Security Responds).
See Also: Are You APT-Ready? The Role of Breach and Attack Simulation
Namecheap says that its intrusion detection systems recently detected much higher than normal activity on its log-in systems. "Upon investigation, we determined that the username and password data gathered from third-party sites, likely the data identified [in the CyberVor incident], is being used to try and gain access to Namecheap.com accounts," says Matt Russell, vice president of hosting at Namecheap, in a Sept. 1 blog.
A majority of the log-in attempts have been unsuccessful, Russell says, because the data is incorrect or old and passwords have been changed. Namecheap is blocking the IP addresses that appear to be logging in with the stolen password data, Russell says.
But some of the attacks have been successful, which prompted Namecheap to contact customers to request that they improve the security of those accounts.
Russell stressed in his blog that Namecheap was not breached. "Usernames and passwords being used [by the hackers] have been obtained from other sources," he says. "These have not been obtained from Namecheap."
The domain-hosting provider did not immediately respond to a request for additional information, including how many of its clients were affected.
CyberVor Incident
News of the CyberVor mega-breach was first reported Aug. 5, when the security vendor Hold Security said a Russian cyber allegedly amassed more than 4.5 billion credentials (see: Security Firm: 1.2 Billion Credentials Hacked). Of those credentials, 1.2 billion appeared to be unique and tied to more than a half-billion e-mail addresses.
But the warning prompted security critics to ask several questions, including why Hold Security wasn't naming which sites had been breached and whether the report was just a marketing exercise.