Dear Valued Customers,
I am writing you to tell you about a recent breach involving our shared hosting systems.
The breach was a result of a custom solution that our team implemented. The exploitation was very limited and only affected a total of 12 domains (we have close to 10 million domains on our platform).
While always striving to make things easier for our customers, we unintentionally created a gap in our security.
At Namecheap, we have a custom implementation of DNS for our shared hosting systems that is completely separate from our core domain business. The core domain business uses its own DNS system and we can confirm that this was not affected at all.
For our Shared Hosting product, we point all domain names to the same DNS cluster servers:
This is not a default setup supported out-of-the-box by cPanel. However, it provides a number of major benefits for our clients, including:
1) An ability to easily set up hosting accounts for each package with Namecheap;
2) Use of one set of nameservers for each domain; and
3) An ability to migrate client accounts between servers without any downtime and without a need to update nameservers when:
- a hosting package is upgraded/downgraded;
- a client wants to be hosted on different servers due to their specific needs, such as particular subnets for an IP-address or their geographical location;
- restoration of client accounts without needing to change nameservers in the case of a hardware failure—this will minimize site downtime;
- we need to ensure a more stable DNS cluster with redundancy and DDoS protection.
In addition to the above, our DNS solution ensures that we can migrate and restore hosting accounts from backups on a different server if necessary, with minimum downtime, and without involving each client in the process. We are also able to provide a centralized DNS cluster with better protection from DDoS attacks, which is guaranteed by Verisign.
What Caused the Gap?
Our DNS required a customized solution tailored to our needs and the needs of our customers. This resulted in an unexpected gap in our security.
Clients using our Shared Hosting product were able to add a subdomain of any domain that was pointed to its DNS cluster to their cPanel and manage it from there. To do so, one just needed to determine that the domain was pointed to our DNS cluster.
In the initial setup of the DNS management system, without the DNS cluster, the above gap did not exist as a security check was performed at the cPanel level. Specifically, when a subdomain was added to another server it was necessary to change nameservers in order to gain control. However, with the DNS cluster implementation, this security measure became ineffective.
Once this issue was detected, we immediately started working on a fix, which was fully released on 5 February 2018.
The solution ensures that we no longer allow the adding of domains or subdomains as an Add-on or as Parked. If a subdomain or its parent already exists on our servers, all calls to create a subdomain are now properly validated.
We have already reviewed our security protocols and identified ways to ensure this does not occur again. This includes even more thorough testing procedures, improved communication between our teams, and higher quality assurance requirements for any changes we take live.
We are reaching out directly to the 12 customers that have been affected by this issue. Out of respect for the privacy of our customers,
I truly apologize for any stress or inconvenience this may have caused our customers and assure you that this will not happen again.