If you have an account at NameCheap, now might be a good time to think about changing your password.
According to the registrar, hackers based in Russia are using a haul of a reported 4.5 billion username/password combinations to attempt to break into its customers’ accounts.
Some attempts have been successful, NameCheap warned.
The attackers are using credentials stolen from third-party sources in a large-scale, automated attempt to log in to user accounts, disguised as regular users, the company said in a blog post.
The vast majority of these login attempts have been unsuccessful as the data is incorrect or old and passwords have been changed. As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement.
While the vast majority of these logins are unsuccessful, some have been successful. To combat this, we’ve temporarily secured the Namecheap accounts that have been affected and are currently contacting customers involved requesting they improve the security for these accounts.
Affected users have been emailed, the company said.
NameCheap suspects the attack is linked to a reported cache of 1.2 billion unique username/password combinations amassed by a hacker group from databases vulnerable to SQL injection.
The registrar pointed out that its own systems haven’t been hacked. Customers should only be vulnerable if they use the same username and password at NameCheap as they use on other sites.
ICANN has sent a formal breach notice to top ten registrar NameCheap, saying the company failed to comply with a mandatory audit.
ICANN also claims in the notice (pdf) that the company has failed to keep its web site up to date with pricing information required by policies.
NameCheap, which says it has over three million domains under management, may be the largest registrar to get to the formal, published breach notice stage of the ICANN compliance process.
But it should be noted that while the company is accredited and must comply with its Registrar Accreditation Agreement, it does almost all of its business as an eNom reseller.
Just a handful of domain names are registered under NameCheap’s own IANA number.
eNom reseller NameCheap is actually in the top 10 largest registrars in terms of domains under management, judging by data in regulatory documents filed by eNom parent Rightside.
According to a Rightside SEC filing related to its spin-off from Demand Media, NameCheap accounted for 23% of the company’s total domains under management as of September 30.
With the same document declaring Rightside has over 12 million names under management as of the same date, NameCheap apparently looks after just under 2.8 million domains.
By my reckoning, this means NameCheap is very probably the ninth-largest registrar by DUM out there, sandwiched between GMO Internet and FastDomain.
My comparison is not completely apples-to-apples — NameCheap’s number may include ccTLD registrations and I’m levering the company into a gTLDs-only league table — so may not be fully reliable.
But it’s the first solid indication of the size of NameCheap’s business I’ve seen in a while.
While NameCheap is accredited by ICANN in its own right, it has never registered more than a handful of domains under its own name, leaving it in the sub-900 range in the DUM league table.
According to Rightside, NameCheap is under contract to exclusively use eNom’s wholesale services until December 2014, but the deal does have one-year renewals built in.
Directi appears to be the last man standing in the three-way tie-up for .online, following the latest new gTLD withdrawals.
Namecheap has dropped its .online application, closely following Tucows, which dropped its bid a couple of weeks ago.
The three companies announced a deal in March to see them cooperate to win the contested TLD, but at the time it wasn’t clear which applicants would pull out.
Directi’s bid (filed by DotOnline Inc under the Radix brand) remains. It has already passed Initial Evaluation, which may be part of the reason its application was chosen as the “winner”.
The gTLD is still contested, however. Directi is competing with Donuts, I-Registry and Dot Online LLC.
Separately today, a curious two-way dot-brand battle seems to have had its final twist, with Guardian Life Insurance’s withdrawal of its application for .guardianlife.
The insurance company and newspaper publisher Guardian News and Media had both applied for gTLDs containing the string “guardian”. There were originally five, but only two remain.
It now looks like Guardian News will get .theguardian, having previously conceded .guardian to its brand rival and dropping its bid for .guardianmedia.
It appears that there’s been more than a bit of strategic applying, and maybe some deal-making, here.
Neither remaining application is contested, and neither have objections. It’s likely that .guardian is captured by the Governmental Advisory Committee’s advice against “closed generics”, however.
Three applicants for the .online gTLD appear to have settled their differences in what I believe is the first public example of new gTLD contention set consolidation.
Tucows, Directi and Namecheap said today that that they plan to “work together to manage the .online registry.” From the press release:
applicants for the same TLDs have begun to compete, negotiate, and, in some cases, join forces to ultimately produce one winning bid.
The first such alliance was revealed today, when domain industry veterans Directi, Tucows and Namecheap announced that they would work together to manage the .online registry.
The companies are of course three of the most successful domain name registrars out there.
The press release does not specify how the combination will be carried out. Under ICANN rules, two of the applicants would have to drop their applications. It’s not possible to resubmit as a joint venture.
It also does not acknowledge that there are three other applicants for .online — Donuts and smaller portfolio applicants Dot Online LLC and I-REGISTRY Ltd — which are not party to the agreement.