Helpdesk tickets security update
We recently received reports of a potential security attack vector coming through our helpdesk system, which we use to manage customer support tickets. We immediately investigated the situation, and while we discovered a very small possibility of breaches occurring, we found no evidence that any breaches had taken place.
We are now taking all necessary steps to close this gap in our security, including disabling the login and registration of accounts in our helpdesk.
Please be aware that this security gap was only exploitable if your Namecheap Customer Account or Helpdesk Account passwords were not secure and were used on other resources, through which it could have been exposed and leaked online.
What was the threat?
Namecheap Helpdesk Accounts are connected to Namecheap Customer Accounts. Sensitive customer information is, therefore, often referenced during support correspondence and stored in the ticket history.
While all Namecheap Customer Accounts have extra security layers built in, such as 2FA, these were not available for Helpdesk Accounts. This meant that fraudsters could have used compromised passwords to log in and access support tickets, and it might have been possible for them to access sensitive data exchanged during support conversations via tickets.
There is also an option to add additional contact email addresses in our support system without additional validation, so a new email could have been silently added to customers’ Helpdesk Accounts.
What about contacting Customer Support?
Live Chat uses a completely different system and so was not affected in any way. This potential security gap only relates to the support ticket area of Namecheap Helpdesk Accounts.
What we are doing about it
We always treat the security of our customers as the highest priority and thus decided to disable login and registration of accounts in our helpdesk — effective from today.
We are also directly contacting customers with more than one email address associated with their Helpdesk Account to make 100% sure no fraudulent addresses have been silently added.
What should you do?
We are directly contacting any customers that might have been affected, so the best course of action right now is to simply check your inbox.
Moving forward, please also make sure you have strong passwords for your Namecheap accounts — and any accounts, anywhere.
Be assured that your security is our highest priority and we will continue to investigate and assess any possible security breaches.