Social Engineering Issue
Dear Valued Clients,
It is with great regret that we must report the following: today we experienced a security incident where the correct procedure by one of our support reps was not followed. This led to the account of one of our client’s VPS accounts being compromised. For this, we sincerely apologize.
This isolated event was compounded by the fact that the customer’s email account associated with his Namecheap account was also compromised. This email is used for standard client communications. In this particular case, a hacker had already infiltrated our client’s email account (not hosted or associated with us) when he approached us via our live chat system and simply asked us to send the server credentials to the email address we have on file. In these cases, it is our normal procedure to first ask for the customer verification pin code in order to effect any action on behalf of our clients.
Unfortunately, our support rep did not follow this well-outlined procedure and sent out the username and password to the address we had on file.
This, sadly, led to the hacker gaining access to the VPS server via the email account that had already been externally breached.
The perfect storm of the client’s email account being hacked and our own human error worsened the situation. There are a number of things that we have noted and are implementing immediately to further enhance security at Namecheap.
In the interest of transparency, we will share some of the improvements being rolled out.
- Enhanced security practices that will prohibit our support team from making changes to an account without physically entering the customer pin code.
- Precautionary customer support procedure audits to identify any potential gaps in our procedures.
- Additional training for our customer support representatives by our security team to ensure our team remains up-to-date on new and common social engineering tactics.
- Assessment and integration of additional 2-Factor Authentication tools that would add additional layers of protection for our customer accounts.
The security of customer accounts is paramount to all that we do at Namecheap. We have a dedicated security team in place who, in conjunction with our customer support teams, help ensure that our systems, processes, policies and procedures are as water-tight as possible and are followed by our support team. That being said as the above case clearly shows, there is more that we could be doing to ensure the utmost in account security and we will be hammering this home even more so across our organization.
Lastly, another issue to address is one of the backups for client servers. In order to clearly manage expectations, we would like to mention the difference between “managed” and “unmanaged” hosting services. With managed services, we offer a full suite of services and support, including backups.
Unfortunately, in this case, our client was on an unmanaged VPS plan that clearly stipulated that backups were not part of the service offered. This is clear upon signing up for an “unmanaged” service as it is meant for more advanced customers that expect autonomy and a “nanny free” type service.
Once again, we are constantly assessing additional safeguards, both technical and procedural, to ensure our customers get the highest levels of security possible. This is, and will remain, our commitment to you.
Regretfully and Sincerely yours,
Richard Kirkendall
CEO, Namecheap.com
Honestly, if the hacker already had access to the client’s email account, the account verification, honestly the hacker could have easily got the verification code on the website by logging in and going to the website. If the hacker didn’t know the password to the Namecheap account, the hacker could have just did the “forgot password” thing, reset it via the email account they already had access to…
So true.