Update on Recent Hosting Breach
Dear Valued Customers,
I am writing you to tell you about a recent breach involving our shared hosting systems.
The breach was a result of a custom solution that our team implemented. The exploitation was very limited and only affected a total of 12 domains (we have close to 10 million domains on our platform).
While always striving to make things easier for our customers, we unintentionally created a gap in our security.
Background
At Namecheap, we have a custom implementation of DNS for our shared hosting systems that is completely separate from our core domain business. The core domain business uses its own DNS system and we can confirm that this was not affected at all.
For our Shared Hosting product, we point all domain names to the same DNS cluster servers:
dns1.namecheaphosting.com
dns2.namecheaphosting.com
This is not a default setup supported out-of-the-box by cPanel. However, it provides a number of major benefits for our clients, including:
1) An ability to easily set up hosting accounts for each package with Namecheap;
2) Use of one set of nameservers for each domain; and
3) An ability to migrate client accounts between servers without any downtime and without a need to update nameservers when:
- a hosting package is upgraded/downgraded;
- a client wants to be hosted on different servers due to their specific needs, such as particular subnets for an IP-address or their geographical location;
- restoration of client accounts without needing to change nameservers in the case of a hardware failure—this will minimize site downtime;
- we need to ensure a more stable DNS cluster with redundancy and DDoS protection.
In addition to the above, our DNS solution ensures that we can migrate and restore hosting accounts from backups on a different server if necessary, with minimum downtime, and without involving each client in the process. We are also able to provide a centralized DNS cluster with better protection from DDoS attacks, which is guaranteed by Verisign.
What Caused the Gap?
Our DNS required a customized solution tailored to our needs and the needs of our customers. This resulted in an unexpected gap in our security.
Clients using our Shared Hosting product were able to add a subdomain of any domain that was pointed to its DNS cluster to their cPanel and manage it from there. To do so, one just needed to determine that the domain was pointed to our DNS cluster.
In the initial setup of the DNS management system, without the DNS cluster, the above gap did not exist as a security check was performed at the cPanel level. Specifically, when a subdomain was added to another server it was necessary to change nameservers in order to gain control. However, with the DNS cluster implementation, this security measure became ineffective.
The Fix
Once this issue was detected, we immediately started working on a fix, which was fully released on 5 February 2018.
The solution ensures that we no longer allow the adding of domains or subdomains as an Add-on or as Parked. If a subdomain or its parent already exists on our servers, all calls to create a subdomain are now properly validated.
We have already reviewed our security protocols and identified ways to ensure this does not occur again. This includes even more thorough testing procedures, improved communication between our teams, and higher quality assurance requirements for any changes we take live.
We are reaching out directly to the 12 customers that have been affected by this issue. Out of respect for the privacy of our customers,
I truly apologize for any stress or inconvenience this may have caused our customers and assure you that this will not happen again.
Sincerely,
Richard Kirkendall
CEO Namecheap.com
That’s good to know.
The only problem I had, was in finding that my .htaccess file was modified by the addition of the “lsphp . . .” directive the other day. I REALLY wish the folks responsible for the additions would have at least notified me via email first! – I naturally freak out when I see an unaccounted for change in any of my websites’ configurations without warning. – I have my website configurations (.in the htaccess, php.ini, etc.) set exactly they way I want them for good reason: Enhanced website security, and consistency of operation. So, I get upset when there are any changes made to my configurations without prior notice.
Could we PLEASE make sure to inform hosting clients, before-hand, when proposed changes to custom website configuration files is warranted? ? ? That’s the last thing I need to have happen, than for settings changes to end up undoing or lessening my security posture. I have spent MANY MONTHS researching and designing a robust security posture – to ensure that my websites are not “soft targets” for attacks again.
Thank you.
– James
James, thanks for your feedback. For the future, we recommend subscribing to http://status.namecheap.com so you can receive notifications on any major upgrades to our services.