css-tricks.com is now back under my ownership. Yay!
Quick review of what happened
A criminal stole the ownership of css-tricks.com. They transferred it from GoDaddy to PlanetDomain. I got it back. You can read a whole saga of the events.
This wasn’t just css-tricks.com, this happened at the same time to many other domains that were all “Web tech related blogs.”
How did it happen?
From the perspective of GoDaddy, where the domain was registered, the transfer looked completely legitimate. The criminal logged into my GoDaddy account, unlocked the domain, and transferred it away.
How did they get into my GoDaddy account? To this day, I don’t know.
I do know that they got into my GMail account. By doing this, they were able to delete any emails about the transfer, so I was unaware it even happened. I don’t have proof of the deletions, but I have proof the criminal was in my GMail account. My GoDaddy account password was never changed and didn’t exist in my GMail account, so the criminal was able to get that password another way. On the first day of the hack, a file was also changed on my server, which suggests they had my FTP password as well, which also did not exist in my GMail account. All three were also different. I wish I could tell you exactly how all three of these passwords were hacked. I cannot.
How did it get returned?
I spoke with GoDaddy about the theft. They spoke with PlanetDomain. PlanetDomain agreed to give the domain back to GoDaddy. In my case, both companies were helpful and did all the right things. I actually did very little. I spoke with GoDaddy, filled out their Domain Dispute form, wrote a blog post, did my fair share of worrying, and ultimately it got resolved.
Who is to blame here?
The only person I can find to blame is the criminal (there has been some contact with this criminal, see video).
It’s not GoDaddy’s fault. From their perspective this looks like a standard domain transfer, thousands of which happen every day. They didn’t simply allow a criminal into my account. It’s also unlikely that the criminal broke into my GoDaddy account via a specific GoDaddy weakness. There were many domains affected here from many different registrars. I think it would be nice if GoDaddy offered two-step authentication, but their lack of that didn’t cause this.
It’s not GMail’s fault. Yes, my account was hacked into. I have no idea how. I know the password was reset, but I don’t know if that was a part of the criminal getting in, or because they wanted to keep me out afterward. Once in, theoretically the criminal could have gained access to anything else of mine by resetting passwords, but that wasn’t the case. My GoDaddy or MediaTemple passwords were never changed. Again, there were many domains affected here and the owners of those domains didn’t all use GMail. So it wasn’t GMail specifically that was the vulnerability that caused all this.
It’s not other random technologies fault. I heard some people blaming WordPress, which is just weird.
I’m willing to take some blame here myself. Perhaps I used an unsecure network or something. I’m just not sure.
It’s hard to figure out exactly what happened. You might think that since so many of us were affected we could find the commonality. But unfortunately that has made it harder since we’ve been able to discover so little in common between our situations. It seems to me the most likely case is that the criminal is just damn good at being an internet criminal. Unfortunate that kind of talent is going toward making the world worse instead of better.
What can you do to protect yourself?
This is the section I was looking forward to writing the most. Sadly, I have little to say.
I think you should use really strong passwords that you change frequently. You should probably run antivirus stuff and make sure you don’t have anything nasty like a keylogger. I think you should use 2-step verification if you use GMail, which should theoretically make it much harder for a criminal to get in.
The thing that allowed this to happen under my nose was that the email notifications I should have gotten were deleted. So one thing I have done was to start using Domain Monitor and having it notify an alternate email address of changes.
I’ve also enabled GoDaddy’s Domain Protection. css-tricks.com is now about as protected as can be. Nobody, including myself, can transfer the domain. The only way it’s possible to transfer is to cancel the service, and part of that process is legally proving my identity with official documents.
So yes, I’m going to keep css-tricks.com on GoDaddy. They were the folks that were with me during all of this and now, especially with the protected registration, I feel secure there.
How are the other people doing?
It’s mostly good news. There are only three unresolved cases that I know of.
- The worst of which is Soh Tanaka’s sohtanaka.com. Soh needs 1and1 to start being responsive and cooperative and accept the domain back from PlanetDomain who is ready to give it back. Soh’s site has been offline for days which is super uncool.
- A similar situation is Ali A.’s shiachat.com. Ali needs 1and1’s cooperation but doesn’t have it. At least Ali’s nameservers are pointed to the correct place.
- Kirupa Chinnathambi is waiting for Network Solutions to get rolling on getting kirupa.com back to him. Apparently the two companies are talking though.
I think it may be of benefit to apply a little social pressure to @netsolcares and @1and1 on these folks behalf, if you are up for it.
Thank you
I’m also quite sure that each of you helped. The community outpouring of support got the attention of the companies involved and surely expedited things. css-tricks.com is now safe. I’m very grateful for that. Now back to your regularly scheduled programming. There are many more articles and screencasts to come!
one question was not asked in your post:
why did this happen? What is the aspired result of a domain theft?
Or is it again just “hacking for fun” ?
Seems like this person was targeting high traffic sites for ransom.
For the record, I was never contacted by the criminal (which they would of course have to do to request a ransom). David Walsh did get some suspicious emails eluding at random, but they were very vague and no proof came of them.
I suspect we got onto the fight to get them back before their plan was fully hatched. I also suspect that they do this to a lot more domains that just the few from this saga. And I also suspect they may not have some “grand plan.” No proof of any of this though.
Glad to see everything worked out!
Might it be that you logged in a some site and messed up site’s password with your gmail one?
Glad to see you got it back
Sad story with happy end! I’m using keepass tool to generate and keep long unique passwords. And I’m changing them all regulary. It takes about 3 hours each time (yeah, many passwords to change), but makes me feel little more safety (most important – make regular backups for keepass)).
I use KeePass also and use DropBox to sync it across all devices giving me a nice helpful solution to the backup issue (i.e. automatic). Really useful setup. 3 hours is hard, but you would have to do that regardless of KeePass anyway I suppose.
@jwwishart I’d be careful using dropbox… there were reports of vulnerabilities with it back in June (ref).
Glad you got it back! First thing I did after reading your post is turning on 2-step verification in GMail.
Were you on a Mac or PC?
what does that matter? They’re both vulnerable to hacks.
And don’t forget that a Mac IS a PC.
Duh. However, Unix is still much less prone to malware than Windows, and you’re not going to get a keylogger or whatever unless you’re rather gullible. The only malware I’m aware of for OS X are trojans, which require you to manually install them and give them your admin password. There aren’t drive-bys that install via Flash or Acrobat exploits.
Duh?
It’s not like osX is one of the first product to be hacked in general in hack contests. And talking about Flash exploit :
http://www.macnn.com/articles/08/04/10/adobe.fixes.flash.exploit/
http://www.adobe.com/support/security/advisories/apsa11-01.html
http://www.adobe.com/support/security/advisories/apsa10-01.html
It’s not like it’s new.
Glad it all turned out ok in the end. Thanks for sharing the experience and documenting it so methodically.
A useful and salutary lesson in not getting complacent about web security of any kind. Not that I’m saying you were complacent though. But a complete domain theft isn’t high on many average webmasters/bloggers agendas I’m sure.
I shall be analysing things on this front. Paying far too much attention to stopping hackers and leachers damaging actual site content – not enough time on the bigger security picture.
Cheers
I
There has to be some commonality!
Were you all using Macs? What about your website hosts? Some software that reports back to the criminal?
Surely hacking all these individual websites or domains must be very difficult without some commonality.
@Chris Coyier
Hello sir,
I’m the biggest fan of yours, you’re ideas and creativity are just awesome :) thanks for sharing such an informative post with us.
Actually I also wanna ask a question which is much different from the post simple to read but difficult to answer :)
Which is your favorite web browser, if any please share with us why?
Nice try, hacker.
Yeah! Get lost, looser… Go f$%* yourself!
Sorry, but I’m not a hacker I just asked a simple question. What I can say mine is Google Chrome any I wanna know about Chris sir? Whats the try of hacking here @Internet Security Officer and @ralph
If your gmail password changed, that’s a signal to me that the attacker got into your email by somehow resetting your gmail password. Either by intercepting the email to your secondary account, or by somehow being able to predict the contents of the reset link that gmail generates.
If he’d used a keylogger, he wouldn’t have needed to do any of that.
From that point on he may have been able to retrieve your passwords from GoDaddy by using their forgotten password systems. If he was able to retrieve your password and not reset it, then that would suggest that is certainly a vulnerability with GoDaddy.
I too am interested in how this happened. Most perplexing. It sounds like there’s no one clear place all, or enough, of your passwords exist side by side. A few questions if I may:
1. Do you use a password storage system like LastPass?
2. Or a password generation system like SuperGenPass?
3. Do you save/remember the passwords in your browser?
4. Does your browser cloud-sync your passwords between machines?
5. Do you backup your primary OS(s) somewhere (e.g. Time Machine)?
At the end of the day, as with most crimes, if there’s enough effort you can hack most systems. They need to be open enough for Joe Public to be able to use them in meaningful ways thus they can never be truly secure. All that said: criminals will normally only put in that level of effort if there’s enough of an incentive, and in the case of most of the domains in question, there’s no clear ‘payout’ – which in turn implies that this was either relatively easy and generally malicious. Worrying.
As a side note, all the drop-downs on the above fields for auto-completing them are just black. I’m using Opera 11.60, which has the new HTML5 parser so it might be that. I’ve logged it with Opera, but you might want to take a look.
Good luck!
Being from Ukraine myself all issue weirdly makes me proud (don’t get me wrong I’m glad everything is fine with Chris ‘ domain now and hope those who still have this problem unresolved shortly will) and ashamed simultaneously. Think it has made all of us, including Internet giants, pay much closer attention to security.
By the way Chris, when I highlighted and dragged a line in a new place within this paragraph it hadn’t updated in Comment Preview aria. I use last common Chrome at the moment.
Yeah, what a relief!
I’ve been using the Google phone authentication for a while now. Also, I don’t know if the gmail HTTPS connection is by default, but it’s a good idea.
What about connecting through an ssh tunnel when you’re browsing on unsecure networks?
GMail does not default to HTTPS (at least it didn’t before I turned it on) and it’s a great idea to force HTTPS over all pages, not just when logging in/out.
There has been a lot of fuss lately about SSL and some major sites not using it 100% of the time (Facebook now has the option as well to force SSL over all pages). I don’t know if anyone remembers, but a while back Eric Butler released a tool essentially making sniffing unsecured wireless data a breeze.
That tool, as well as some others, has basically made “hacking” easy enough, and user-friendly enough for any random person to do.
Chris,
If you think that your GMail account was the point of origin, then you could consider SSL over all pages.
I’d like to know WHY the criminal did it? What he gained from it?
scroll up and read comment 1.
I’m using Name.com and their “NameSafe” feature (which is free). It uses Verisign’s “VIP Mobile” app (or you can get a keyfob) and it’s essentially the same thing as Google’s two-factor authentication.
Very interesting read. Well done Chris your work will not go down for the sake of lives that you impact on a daily basis. We all must tighten our belt and it just proofs the point that no system is 100% secure.
Delighted to hear the problem’s all sorted now. Can’t quite figure out why they’d have done it in the first place, but that’s crooks for you I guess. I also set up 2 step gmail verification after reading about the issue. Just glad you managed to sort it all out. :)
FTP is unsecure. Should be using ssh.
I use SFTP, for the record.
Robert, If you have an SSH daemon running on your server, it doubles as an SFTP server. Which is essentially the same as FTP, but tunneled over SSH. Most FTP clients support this.
What a nightmare! I’m glad you where able to get it back.
Glad you got it back, Chris
btw, and totally unrelated, we are receiving your RSS twice per post .. very recently, thou ..
2-factor authentication only works when you’re doing it over the web. Were you ever checking the email over IMAP? Or set up gtalk? What I’m asking is have you issued any “Application specific passwords”? If you have – revoke all of them (and re-issue if you’re brave).
An application specific password allows you to access GMail over IMAP – meaning that you can delete all the messages without having to confirm over the phone. If someone gets ahold of that – they can do whatever they like with your Google account as long as there’s APIs for that…
css-tricks = chris coyier .. can be JUST ONE in the world! Thanks for share your knowledge :D
مبرووووووووووك
I am glad you could resolve it. I sometimes have the feeling, that online criminals are not taken serious enough. But steeling someones domain, or hacking their page, e-mail account etc is nowadays the same as breaking into someones store or steeling their identity….
I am happy for you, that it went that smooth.
Good to hear that it’s safe now … was that the same story as this http://blog.name.com/2011/12/project-freedavidwalshdotname-success/ ?
If the perpetrator got hold of your GMail account, be that with a keylogger or something else, it’s all he needs. I know this because it happened to me but they hacked my PayPal account (and bought 10 licenses of WoW, hence my hatred of the game). Once he has access to your email, he can set automated filters to mark as read and archive any email that comes from @godaddy.com (or @paypal.com in my case!). This way you would never know that you received a “password reset” email or anything similar. With all this in place, he can reset any password he needs (domain, ftp, etc) and gain access anywhere. I’d suggest you check your filters and be very careful with your email password as that’s the only one anyone needs to hack everywhere.
That’s a good news
i felt like watching a suspense horror movie all these days. its so horrible to feel that your domain is gone from you
Yay! The header of this post alone makes me smile.
Thanks for sharing your experiences, I definitely learned something. I signed up for a novice DomainTools account today.
You’ll get tons of free advice about security, so I’ll be brief in my recount of the tools I use. I take a lot of care in selecting them. You’re undoubtedly a Mac guy, so much of this may not apply, but then again, maybe you’ve got Windows too.
Automatic updates, always
LastPass
Pretty good passwords
Panda Cloud Antivirus
Malwarebytes for cleanup
Separate email address for important accounts to use as their email on record
Gmail two-step authentication
Chrome with ScriptNo
Threatfire HIPS
SuRun
PC Tools Firewall
I’d love to hear some more info about how it happened – but it seems like nobody really knows (be sure to let me know if you do figure out how they got into various services).
Good to hear that everything is fine now! :)
Glad to hear everything turned out ok, and that all parties involved were able to work together to get this resolved quickly and (relatively) painlessly.
Thank you for sharing this experience. You have raised so many important points. Thank you for disclosing all the details of this horrible domain theft so we can all be more aware and watchful.
Plus, your site is so lovely – a design and usability inspiration. I wish I could be you – but not badly enough to steal your domain. I will plan to keep coming back to visit often. So glad you keep working, publishing, protecting — keep it up.
Thanks for sharing the whole experience and process so openly. I’m sure this will be a great help in preventing this from happening in the future.
BTW, you should use the hackers same methods and just steal csstricks.com, get rid of the hyphen!
Glad to hear everything worked out!
Recently, a friend of mine get email from “unknown” person with his godaddy user/pass asking to pay few thousands dollars.
He contacted godaddy and they reply with “Ignore that mail. It is spam”. How could it be spam with real user/password details?
Definitely glad to hear everything worked out. I’m on 1 and 1 but will be rethinking my professional relationship with them based on their treatment of the others affected by this problem.
Thanks for sharing your experiences with us.
Hey Chris,
Glad you got the domain back, it would have been weird going to css+tricks.com or something like that hahaha!
I know exactly what happened! When using your virtual machine on your Mac someone hacked into the windows end and stole your passwords! That seems the most plausible to me at least!
Enjoy Cali, just got our first snow fall here in Chicago.
Yeahh Congo .
Hi Chris and every1!
Glad you’re fine now…
Sorry for my english, but I did not understand if you used Gmail 2 steps verif. before getting in this trouble…
I actually have Gmail 2 steps on, should I consider myself safe?
Glad this site is now safe. I really enjoy reading your articles.
Personal question Chris, but why do you use GMAIL as opposed to your personalize domain address?
Also, if it’s three different passwords and if they are on your computer somewhere, you might want to check if you have anything shared over your computer. Chances are, it could’ve been intercepted if you were using a public Wi-Fi or something. I don’t know, your Key Chain access, admin password of your(s) Mac(s), something.
Hi Chris,
Glad to hear you got your domain back and everything is up and running again!
Did you check if your Gmail account suddenly had some new filters added under the Settings -> Filters? There was a hack going around that added certain filters without you noticing and they were targeting domain transfers and FTP passwords. Can’t remember where I read about this but check the filters page and see if there’s anything fishy going on in there.
Glad you were able to get your domain back.
It would have sucked to see the site go down with the crappy domain squatter sites.
I visit the site a few times a month to access your useful resources.
Doesn’t gmail log the IP addresses of logins? Perhaps this can help find the hacker.
stoked that you got your domain back, researching how they gained access to those accounts should be a top priority. if the hole isn’t patched it’s only a matter of time before it happens again.
I would wager with a high degree of certainty that some trojan code ran on your machine, stole all your passwords from Firefox and etc, and deposited them to the attacker’s FTP.
Soh Tanaka’s site navigation page is error!
“Error”
“ERROR”
“E-R-R-O-R”.
“Server can’t bla..bla..”
Incredible.. I’m glad it turned out so well for you. I sometimes wonder about GoDaddy though. When I’ve called into their support, the support reps seem to have unlimited access to their customers information. Such as being able to read all database connection scripts, etc. on your server (including the passwords inside them). They’ve never asked if they could view files; they just take it upon themselves.
I wish they’d put more protective measures in they’re internal systems. Such as not allow their employees access to customers server files without explicit permission.
Glad everything worked itself out for you Chris. When you checked your GMail account did you have any of the filters mentioned in the GMail security flaw?
Glad you sorted out that. Unbelivible what can happen.
Congratulations…..Keep it Up….:)
Im guessing it was a key logger, which would give him access to any key you pressed over a period. People can get these to install silently and remain stealth. Scary stuff.
Hey Chris I hate godaddy I never ever will use them again!
i suggest Namecheap they can hide your whois and it is free for the first year.
all the best
Edward
It sounds like it might be spyware. I would backup the files and reinstall the OS from scratch, just to be sure. Maybe it is from a trojan that was distributed through a tool that web designers use.
script kiddie probably had a key logger
Hey Chris, Congrats!!!
I’m really very happy now… :)
Thank God !!!
YAY!
Passwords can be different but still predictable if you use a common technique
ex: johnpay for PayPal
johngoog for Google
all the thief needs is 1 password and will figure out the rest
Congratulations Chris!
And keep it safer in future please…
Nice to see you back Chris :)
glad to share you are back !
Awesome to know that you got it back. Those sons of people. Well let’s be happy that everything is back where it’s supposed to. Good to know it’s all good again for you and for all of us. Thanks for letting us know.
Good to hear you got it back. My FTP was hacked once and I know the pain and worrying one has to go through to settle things.
That being said, I think there’s an important piece of advise missing from your section on how to protect yourself: Don’t use the same password for different services, also no slight varieties of the same password. There’s a significant chance you’re not hacked at all, somebody simply found your password through a less secure service you signed up for. It’s just a theory, but it is one of the most common patterns of identity theft.
Wow glad you got it back.
As especially a valuable domain as this one!
“There are many more articles and screencasts to come!”
Really?
Really.
I have been following this and the newer post for days. Great news you are back safe and sound.
We love you Chris!
I don’t think it matters what kind of passwords anyone uses if a keylogger gets on to someone’s machine. The hacker might as well be sat at that person’s computer.
However, you can avoid typing in passwords by copying and pasting them from a secured file.
A browser such as Firefox can also avoid typing in usernames as it saves those, so all you enter is the first letter, then click on the one you want from the drop-down menu. I used that here to enter my personal details easily. (Just three key touches were needed, one for each field.)
Well, for once I’m actually impressed by Godaddy. I’m very, very, very rarely impressed by them, but for once I actually am. I’m glad they did the right thing and helped you get your domain name back.
This kind of incident inspires me to start learning more about website security. Does anyone know any good blogs for that?
Mine, hehe. Just kidding, although I did write a bunch on domain hijacking.
Super post! Just like your blog professionalism! Keep up the good work.
Good story. But what I want to know is….how the HELL did you get on the first page of Google results for the search term “gravatar”? And it shows your gravatar, too. Please teach me.
Wow nice information actually this site is about Domain is Now Safe…! Thumbs up
Nice to see you back Chris :)
Prolly was a bunch of CSS-Dicks
Ah, good to see you back! Keep this awesome blog safe :) Cheers
Glad to hear you were able to get your domain back. That is a scary turn of events. Fortunately, you were able to work it out.
To others asking how this happened: unless the registrar is willing to publicly reveal more details (which they “shouldn’t” do under certain circumstances) how this happened, unfortunately we’ll never really know. We can only make as educated guesses as we can, and take steps to at least strengthen (if not prevent) this from happening to ourselves.
I once commented in Chris’ previous article how it can happen, though:
https://css-tricks.com/15377-this-sites-domain-is-stolen/#comment-129379
Stay safe, everyone.
If he/they targets for front end web development folks, chances are the tools that they use in everyday basis such as Firebug or Web Developer Toolbar ( or Fillzilla ) is compromised.
So there is a commonality here.
( Uust a theory, though. )
Congrats!
I just found this site (as well as Treehouse) for the first time. Nice site!
Glad to see it back, but how they got your password is very scary. Maybe i should be more careful too.
wow, hell of a story! My whole tech blog got mirrored last year so basically the entire website was to be found identical under a different domain.
But this is a different, animal; to get your Gmail hacked and to lost the ownership of your domain should be 1000x times worst. Use 2 ways login for Gmail!
Glad to hear your domain is safe. Keep on posting Chris.
I emailed 1and1 about those two domains that are still having trouble. This was the reply I got back
Dear Customer,
Thank you for contacting us.
We would like to inform you that this case is already been forwarded to the appropriate who can actually resolve this issue.
If you have any further questions please do not hesitate to contact us.
—
Sincerely,
Arjay Villanueva
Technical Support
1&1 Internet
It’s not a typo that what they sent me.
Kirupa.com is back!! Yay!!
100th comment WOO HOO!
Anyways, I’m glad this domain is safe. I’m not even a designer(at least not yet), but I like coming here.
Nice to see you back.
this is why i prefer sms messages from websites when a password is changed or i’m logged in from a different ip then the usual one.
I wish GMail would offer another option in verification. Some type of IP authentication. Allowing up to 4 additional IPs. Of course, people with dynamic IPs would have to have some type of CIDR or Class C option. You could use your home IP as a primary, work and others for the additional IPs. It would require a hacker to spoof that as well. Possible to spoof an IP? Probably. But that extra authentication step could deter the undetermined.
Just want to say, beautiful website! what font is used for the headings and body text?
I like this website very much….
:)
Fired off a scathing message to [email protected] about getting their ***t together especially because 1and1 has dropped the ball
sohtanaka.com – Unresolved Originally at 1and1, Bad Guy moved to PlanetDomain – Soh Tanaka’s site is offline (nameservers were removed). PlanetDomain is ready to give the domain back to 1and1, but 1and1 isn’t responsive.
And if you have any domains at 1and1.com MOVE them. They are no better than GoDaddy and #sopa.
I have been checking up on the Soh website for weeks and still nothing. Sad to see that, the owner must be very frustrated! That website has some really useful CSS tips and tricks.
I had a good read of the above. Thanks for sharing, its the first I have heard of this!
Also glad you have your domain back safe and sound.