Last Thursday we mitigated an attempt to breach customer data.
No customer data was obtained, and no domains or services were impacted, however in the wake of the attempt we have elected to accelerate our already planned security enhancements.
This is why, when you log in today and from now onwards you will be forced to reset your old password and we will start encouraging password aging, along with other security measures.
Those additional security measures include additional event notifications. As of today you will start receiving event notifications in addition to login notifications of the following event types:
- personal info edits
- password changes
- DNS changes
- whois record modifications
- nameserver delegation modifications
These event notifications will be turned on by default, but you may selectively disable them in your security preferences.
Please note that our system has supported IP/network ACLs and geo-country code limits for some time. We encourage all of our users to make use of them. They can be accessed via the "Security" option on the left hand side menu.
Additionally we are currently testing and will soon implement the following changes:
- optional two-factor authentication with the second factor being PIN delivered via SMS
- dynamic DNS clients will be forced to use auth tokens (the backward compatibility allowing account auth data via dynamic DNS clients will be disabled).
Mini-FAQ of the Attempted Data Breach
Was any customer data obtained, lost or stolen?
[ Edit: We now feel that some member email addresses may have been exposed. See this post. No other data would have been exposed in this log file. ]
Were any customer settings or domains altered or had unauthorized changes made?
What was the extent of the attempt?
Parties unknown began scanning our systems for vulnerabilities and attempting various exploits approximately 1 week ago. These attempts were detected and monitored as they occurred.
On thursday, Oct. 11 this culminated with the discovery of a third-party software plugin on a decommissioned web component that was still live over the web. A security weakness in that plugin facilitated the ability to read some of our user interface source code and server config files.
The issue was discovered within an hour of initial use and immediately plugged.
Did the affected server house any customer data such as user account passwords, domain auth codes or credit card details?
All of our databases are firewalled off from any public facing web services and accessible only via our internal network VPN.
We do not store any credit card data within our systems and never have. All transaction processing has always been outsourced to our payment processors and we keep no payment data here. (There are also strong indications that this is what the perpetrators were after).
What are you doing about this?
In addition to accelerating our planned security enhancements we are undertaking the following measures:
- The legacy system shutdown is being accelerated and will be completed by the end of this week. If your userid has not already been migrated to the new system you will be notified via email when it happens and we plan to shutdown the legacy system on Monday October 22. Additionally, single-sign-on between the legacy system and the new system has been disabled.
- The RCMP Tech Crimes Unit has been notified and debriefed. In 2005 easyDNS was designated by the RCMP to be a "Critical Component" of Canada's Information Infrastructure and we maintain close contact with their tech crimes unit (a.k.a "O Division").
- We have brought in an outside security firm to conduct a source code audit and assist us with forensics.
- The affected web server has been decommissioned, snapshotted and removed from the internet.
Our decision to disclose this is in keeping with our ethos of transparency and brutal frankness.
If learning this rattles you just a little bit, enough to review your own security practices, maybe turn on the ACL you've been meaning to for awhile or change that password you've been using just a little too long, then at least some good has come out of it. I know it's galvanized us to raise the bar further.
Security events happen to everybody, with varying degrees of success (and subsequent disclosure). What is important in this case is that your data is and remains safe, that there has been no compromise of your DNS, domains, email or any other service here, and we are accelerating our security enhancements to stay ahead of the next threat.