Name.com Tells Customers To Change Password Due To Breach

Well, name.com seems to be taking this in good humor on Twitter:<p>"@HackThePlanet Can you just send a postcard next time?" <a href="https://twitter.com/namedotcom/status/332304801050271744" rel="nofollow">https://twitter.com/namedotcom/status/332304801050271744</a><p>"@xDictate Yes. It's been a huge pain in the ass, yet it's hard not to appreciate great technical savvy." <a href="https://twitter.com/namedotcom/status/332308994255384577" rel="nofollow">https://twitter.com/namedotcom/status/332308994255384577</a><p>Regarding elephants: "@BobSnooks Even though it feels like we're getting trampled by them, we still won't shoot." <a href="https://twitter.com/namedotcom/status/332232278078001153" rel="nofollow">https://twitter.com/namedotcom/status/332232278078001153</a><p>Hopefully this is an indication they'll be willing to release full details of the incident. In contrast, Linode seems to take their image <i>way</i> too seriously and refuses to say anything that might make them look bad. (Of course, <i>not</i> saying anything makes them look worse, but they don't seem to realize that.)

For anyone who wasn't following HN yesterday:<p><a href="https://news.ycombinator.com/item?id=5667027" rel="nofollow">https://news.ycombinator.com/item?id=5667027</a><p><a href="https://news.ycombinator.com/item?id=5667391" rel="nofollow">https://news.ycombinator.com/item?id=5667391</a>

Notice they said "encrypted" passwords not (salted password hashes) passwords.<p>I don't trust "encrypted" password because my experience with Host Gator: I contacted Host Gator support to reset my password and they were able to send me my previous PLAINTEXT password. I asked them how this was possible and they told me that the passwords were encrypted and only a few people had access to it.<p>People who also have access to it: Anyone who can see the Host Gator email que and the mail-servers the email passed through.<p>I promptly closed my account with them.

Name.com user here. This is the first time one of my registrars gets compromised and I'm not sure I understand the (potential) severity of what has happened.<p>What would HN suggest doing in a case like this (aside from changing passwords)? Just let it be? Monitor credit card? Change registrar?<p>Looking forward to your feedback.

The article implies this is the first time they've notified customers, so they've either been unaware (seems unlikely since the FBI had a mole in HTP, who have claimed responsibility) or just not disclosing it? Is that true? I can understand why people are annoyed at Linode and everything, but this seems ridiculous if it's the first time.

It looks like they may have used RSA encryption with a 4096 bit key [1] and as far as I know, if the private key is not compromised; this is pretty darn secure...Can anyone confirm?<p>[1] - <a href="https://twitter.com/namedotcom/status/332260201535266816" rel="nofollow">https://twitter.com/namedotcom/status/332260201535266816</a>

Well, that confirms at least part of the Linode story.

Oddly enough, as a name.com customer I kind of surprised that I found this out through HN first.

Name.com seems to be on the same path Go Daddy was 8 years ago (sans scantily clad women for marketing).<p>I wouldn't appreciate the "humor" (Twitter) around this event if I were a customer. My only hope is that if anything like this happens to Gandi that they handle it with, true to style, no-bullshit transparency - spare the crap.

I made an account on name.com 5 days ago. Anybody know when the breach happened?