Massive Moniker.com Breach, Valuable Domains Stolen

Yesterday Acro.net and his other site DomainGang.com posted two important articles related to a breach at Moniker.com . I wanted to write yesterday but I was pretty busy with other stuff, plus behind the scenes I was working with an effected domain owner on the phone and digging information on the potential domain thefts. This is very important, so you need to be aware!! If you have a Moniker.com account, you really need to pay attention and take some actions!

From what I can tell, it is very likely that ALL, yes ALL Moniker.com accounts were breached (hacked). I have hard dates starting on September 20, 2014 (it is likely that it started a couple days prior based on data I have seen, maybe the 15th) and lasted for several days going past September 23.

It appears that all accounts were accessed via an IP location of: 88.150.178.59

Two of my Moniker accounts were accessed (logged into) via that IP address. One on September 20 and the other on September 23. Based on the “account numbers”, the lower account number was accessed first on the 20th, the higher account number on the 23rd. This tells me they started with the lowest account numbers sometime around the 20th (likely even earlier) and run scripts to access accounts, copy domain data within each account and I’m sure grab more data.

Moniker.com did mention in an email in the morning of October 6, 2014 that looked like spam (and included account numbers and new passwords for account users) that they detected brute force attacks, but failed to mention the TRUTH! These attacks were successful!

Domain Names Have Been Stolen

I am aware of at least 8 domains that have been stolen. Most I can not make public right now due to one of the owners wishing to keep his domains private currently but I can say, 3 letter .com domains were the main focus of theft from Moniker. The one word generic domain Busy.com was also involved and very likely many more. I am still working on this part.


It’s Not a Typo! Get $1.49 .COM Domains at GoDaddy!

I am currently aware of three domain name registrars that stolen domain names were transferred out to:

  • Register.com
  • CSL COMPUTER SERVICE LANGENBACH GMBH D/B/A JOKER.COM
  • Name.com

Important email addresses (all other whois information, basically doesn’t matter, the email addresses are the most important)

Stolen Domains At GoDaddy

As a result of the breach at Moniker.com and information obtained (mainly email address), OTHER domains at other domain registrars have been effected. I am aware of 4 domains stolen at GoDaddy that took place on October 3, 2014. There is a connection, as the same email address was used between the two accounts (Moniker/GoDaddy). Different passwords were used with the two registrars, but the same email address was linked. The hackers likely gained access to the email address (was a free service email provider). With that data, password resets can be done etc and gaining access to other accounts can take place.

What You Need To Do

First of all, change all passwords associated with your Moniker account if you have one, even if you have one with no domains in it! If you have connected email addresses between different registrars, you also need to take action. If there is potential that a hacker has access to your email service (check IP logs if you can) it doesn’t do much good to change passwords, if they can just set them again!

The main email address on your registrar accounts needs to be changed if the above is the case! I know this is a pain in the butt and will likely lock your domains for 60 days from being transferred, but if your domains are stolen, what else really matters!

Turn ON two factor authentication when you can. Again, pain in the butt, but the safest.

I am going to work on an article later today, with what is the best way to protect your domains. I already have the data from a private discussion, I just need to put it together to share with you. What process one needs to take for what email addresses to use etc. but right now, the IF factor is a big player that also needs to be considered. If somebody has access to your main email address account, no matter what you change your password to… they can just reset it and catch the emails etc! So email security is number one with what you set at your registrar!

Clearly buying domain names right now is risky. With several being stolen, these domains likely will be hitting the market for some quick cash. What out for 3 letter, 4 number and one word generic .com domains that seem way to cheap that are listed for sale.

Hopefully Moniker, GoDaddy, Register.com, Joker.com and any others effected work closely with those effected by the recent domain thefts and some good can come out of this (more secure domain accounts / domains).

Related Posts

19 thoughts on “Massive Moniker.com Breach, Valuable Domains Stolen

  1. Hi,

    You say the guy who stollen domains at Moniker also had some domains stollen at GoDaddy, this simply means:
    a) It’s not a registrar hack, but an email hack, this guy had is email compromised and the thieft is getting advantage of that to access any registrar the owner had accounts (Moniker, GoDaddy, …).
    b) It’s a true registrar’s hack but the guy is an idiot using the same password on many registrars (Moniker, GoDaddy, …)
    And because you say differents passwords where used by the owner then this let think the issue is (a).

    1. Monkier was hacked, and then the email address hack took place to access the GoDaddy account. My point is, data (and domains) was stolen via Moniker.com and COULD be used at other registrar if users have used the same email at other registrars that they used at Moniker.

  2. With alll due respect Jamie what you say makes no sense for me.
    If someone succeed to get access to my Moniker account and I do not share the same password in my GoDaddy account then there is no way this guy may access my GoDaddy account (becuase my GoDdady email is not stored at Moniker) except my email used in both login be compromised or the guy has access to my computer. This is why I say if the guy has stollen domains in both registrars then the breach is not Moniker or GoDaddy.

    1. With-in the Moniker account, the “main email” used for the account (not necessarily the whois email) can be obtained during a breach. Many people use the same email address at different registrars. When that email address was obtained from with-in the Moniker account during the hack, they then hacked the email account (changed password) to gain access to another account at another registrar (GoDaddy). It was likely NOT know if the email address was used at other registrars, but they likely try it to find out! The domains stolen from the GoDaddy account was due to a email hack.

      Moniker was breached (hacked). Domains were stolen. Data was revealed.
      Using data (email) from the hack at Moniker, resulted in a email hack, which resulted domains to be stolen from another registrar (GoDaddy).
      Having hacked the email address obtained at Moniker in the account of the domain owner of stolen domains, the hackers then accessed the GoDaddy account due to a email hack (change of password likely). If the email address was not the same used at Moniker / Godaddy, this would have prevented the further hack.

  3. I have to agree with Francois that this article makes no sense.

    Also brute force is not really a hacking attempt and it can be used in few different ways:
    – On very unsecure website that has no bruteforce protection such as limited number of guesses until you get suspended at least for some time.
    – Password is 123456 or some other common name with no upper/lower and symbol combinations. This won’t work if site has some basic brute force protection.
    – “Hacker” uses passwords from previous hacked and leaked databases and you used the same password and email there, so you can be tracked down easily.

    So what I can see here is that you got hit by either targeted attack or you are using the same username and password on several websites.

    Other thing might be that your email got compromised by using social engineering but it is unlikely.

    1. @Airgars,

      I’m not sure how it doesn’t make sense? Likely All Moniker.com accounts were accessed (based on the amount of people posting that in IP logs, that somebody other than the owner of the account accessed the account. Domain names were stolen (none of mine btw) which I have a growing list of. The Moniker hack (or whatever you want to call it) took place starting around mid September. The “GoDaddy” stolen domains is a secondary situation from the Moniker breach.

      1. This does not convince me:

        Imagine a moment, someone hack Moniker just to know account emails, which is probably not easy, (when probably he just have to look at WHOIS (people often use the same).
        But above that, once he has found the email used then come the MEGA job to succeed to hack the email itself to can also get access to others registrars using this email address.
        My feeling is if someone has the super skills to do that, hack a registrar and also hack an email service then it’s not domains he will get but directly will ask a paypal or bank withdrawal.

        1. I’m not trying to “convince you”. Moniker was hacked, domains have been stolen. Believe it or not is totally up to you. If you have a Moniker account, I’d suggest you look into your domains, your ip log etc.

  4. It is indisputable that numerous Moniker accounts were breached. I can speculate that due to the duration of the breach, they test out thousands of accounts.

    I’ve already documented several stolen domains that were moved out of Moniker accounts, and more have been identified. The case I can’t yet cover involves additional domains stolen from a GoDaddy account *after* the owner’s Moniker account was compromised. The owners used the same email & password on both accounts and had 2-way authentication turned off at GoDaddy.

    Bottom line: never use the same password across different services.

  5. Our account had a login on the 23rd of Sept. The password used on the moniker account is unique to moniker only and they are rotated monthly with new unique passwords. The email account used for the moniker was unique to moniker with a unique password there as well.

    Login successful 88.150.178.59 2014-09-23 18:40:36

  6. I had a 24 character unique random mix of letters, numbers, and symbols as a password for Moniker and only Moniker. My account was accessed by 88.150.178.59 @ 2014-09-23 23:41:52. One thing I notice is that my login history says “Credentials login successful”, but that login says “Login successful”

    Moniker is having some serious technical issues right now relating to changing passwords. I “successfully” changed my password twice, but when I log out I can only log in with the plain text password they emailed to me. Top notch security there guys. I’ll be moving my domains to a registrar with two factor authentication this evening.

  7. A lot of people (including myself) share the same passwords across various services, because we don’t want to deal with the hassle of keeping track of different passwords for every account we have ever created at every service.

    If Moniker kept the passwords in plain text, which they probably did, especially since they are still sending them out during the reset as plaintext, then compromising Moniker would also likely compromise people’s email accounts (the ones that shared the same password) as well as potentially other registrar accounts.

    This to me is pretty common sense. It doesn’t surprise me that domains across various registrars are being stolen as well.

    1. Luc,

      Just remember Jamie said the guy has different paswords in Moniker and GoDaddy…

      Now I agree with you that they should keep the hash of the password in their databases and not the password itself, this way when a password is shared by several services and compromised it may not affect the others services.

  8. @ Francois and @Aigars

    While the vast majority of all stolen domains might be related to compromised email accounts or phishing attempts, that is certainly not the case here. It is indisputable that Moniker itself was compromised.

    I checked both of my accounts and like most others I see unauthorized successful logins from 88.150.178.59 on 9-20 and 9-23.

    It really does not matter if you use the most secure password in the world if the registrar itself gets compromised and hands over your login details.

    I have been able to identify even more stolen domains. This is not just related to FMA who had several highly valuable LLL.com and LL.com stolen, it goes far deeper.

    After having potentially millions of dollars in domains stolen, yesterday Moniker hard resets all the passwords. Then they send that information (Account # and Password) via email in plain text. They do not learn. This is not a company that can be trusted with security.

    Brad

  9. That’s the reason why I can not access my account this time (for 3 weeks). Can we know when Moniker resolves the issue?

  10. We hung in there thru several prior Moniker debacles, including outages as well as the website change riddled with issues. This latest one tells me “Get out, get out now!”

    Where to go? What’s out there with a proven track record of security, reliability, reasonable price? I’d welcome comments from you or readers that are making the same investigation.

    1. I have mine at GoDaddy, Uniregistry.com is gaining customers pretty quickly. Both mentioned offer 2 Factor.

  11. Thanks Jamie!

    Still hoping for a call back from Moniker so I can actually access our account. Their promise for a call back within 24 hours didn’t happen. Guess I’m not surprised, just more disappointed in their lack of professionalism.

Comments are closed.