“The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts.”
Hold Security had reported in the mid August that around 1.2 billion credentials had been amassed by Russian hackers called “CyberVor”. At that point and time, it was not known what these Russian hackers intended to do with such a huge collection of credentials and it was surmised by the experts that the login ids and passwords may be sold on underground forums for a premium. Now the first casualty of the leak seems to be the popular Domain registrar and Web hosting company Namecheap.
Namecheap has put up a blogpost warning its customers that the Russian hackers or buyers of the credentials have been trying to access their accounts by using credentials obtained from third party websites. CyberVor had managed to obtain 1.2 billion credentials from approximately 420,000 websites as per a research by Hold Security. The massive leak is being investigated by American Federal Bureau of Investigation and its reports are awaited.
Namecheap has issued a warning as it believes some of these 1.2 billion credentials are being utilized by cybercriminals to gain access to their customers’ accounts. In the blogpost, Namecheap says that its intrusion detection systems picked up a higher than usual volume of login attempts shortly after the Hold Security report. This normally indicates that hackers are using data to pre-empt any attempt by the investigating agencies to stop the breach being used for malafide intent.
Namecheap is not sure that this typical surge in login attempts incident is linked to the stealing of 1.2 billion credentials by CyberVor but the exact timing of the logins post the report has led the company to reach this conclusion. Matthew Russell, VP of Namecheap hosting division stated on the blog that,
As per the blog, most of the login attempts made during the surge proved unsuccessful but it warned that some of the accounts may have been breached , while most of the login attempts have been unsuccessful, the attackers have managed to gain unauthorized access to some accounts. The company has temporarily secured affected accounts and is working on notifying customers. Those who have been impacted by the cyberattack are instructed to verify their identities, after which they will be provided with new login credentials.
“As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement,” the company official said.
Russell has clarified that the unauthorized logins are not the result of a security breach at Namecheap. He claims all passwords stored on the company’s systems are encrypted “using the highest security encryption methods.”
The hosting firm is advising customers to enable two-factor authentication on their accounts. In addition, those who have used the same credentials on multiple websites are advised to take action immediately and update their passwords.
Shortly after the world learned about the 1.2 billion compromised credentials, experts warned that such attacks are inevitable.
“The more accounts you have, the more vulnerable you are. The more you share email addresses and passwords across those accounts, the more vulnerable you are,” Jon Heimerl, senior security strategist at Solutionary, told SecurityWeek. “If you are regularly changing passwords the fact that someone has stolen your credentials may not have a huge impact on you. But how many people regularly change all of their passwords?”