css-tricks.com is now back under my ownership. Yay!
Quick review of what happened
A criminal stole the ownership of css-tricks.com. They transferred it from GoDaddy to PlanetDomain. I got it back. You can read a whole saga of the events.
This wasn’t just css-tricks.com, this happened at the same time to many other domains that were all “Web tech related blogs.”
How did it happen?
From the perspective of GoDaddy, where the domain was registered, the transfer looked completely legitimate. The criminal logged into my GoDaddy account, unlocked the domain, and transferred it away.
How did they get into my GoDaddy account? To this day, I don’t know.
I do know that they got into my GMail account. By doing this, they were able to delete any emails about the transfer, so I was unaware it even happened. I don’t have proof of the deletions, but I have proof the criminal was in my GMail account. My GoDaddy account password was never changed and didn’t exist in my GMail account, so the criminal was able to get that password another way. On the first day of the hack, a file was also changed on my server, which suggests they had my FTP password as well, which also did not exist in my GMail account. All three were also different. I wish I could tell you exactly how all three of these passwords were hacked. I cannot.
How did it get returned?
I spoke with GoDaddy about the theft. They spoke with PlanetDomain. PlanetDomain agreed to give the domain back to GoDaddy. In my case, both companies were helpful and did all the right things. I actually did very little. I spoke with GoDaddy, filled out their Domain Dispute form, wrote a blog post, did my fair share of worrying, and ultimately it got resolved.
Who is to blame here?
The only person I can find to blame is the criminal (there has been some contact with this criminal, see video).
It’s not GoDaddy’s fault. From their perspective this looks like a standard domain transfer, thousands of which happen every day. They didn’t simply allow a criminal into my account. It’s also unlikely that the criminal broke into my GoDaddy account via a specific GoDaddy weakness. There were many domains affected here from many different registrars. I think it would be nice if GoDaddy offered two-step authentication, but their lack of that didn’t cause this.
It’s not GMail’s fault. Yes, my account was hacked into. I have no idea how. I know the password was reset, but I don’t know if that was a part of the criminal getting in, or because they wanted to keep me out afterward. Once in, theoretically the criminal could have gained access to anything else of mine by resetting passwords, but that wasn’t the case. My GoDaddy or MediaTemple passwords were never changed. Again, there were many domains affected here and the owners of those domains didn’t all use GMail. So it wasn’t GMail specifically that was the vulnerability that caused all this.
It’s not other random technologies fault. I heard some people blaming WordPress, which is just weird.
I’m willing to take some blame here myself. Perhaps I used an unsecure network or something. I’m just not sure.
It’s hard to figure out exactly what happened. You might think that since so many of us were affected we could find the commonality. But unfortunately that has made it harder since we’ve been able to discover so little in common between our situations. It seems to me the most likely case is that the criminal is just damn good at being an internet criminal. Unfortunate that kind of talent is going toward making the world worse instead of better.
What can you do to protect yourself?
This is the section I was looking forward to writing the most. Sadly, I have little to say.
I think you should use really strong passwords that you change frequently. You should probably run antivirus stuff and make sure you don’t have anything nasty like a keylogger. I think you should use 2-step verification if you use GMail, which should theoretically make it much harder for a criminal to get in.
The thing that allowed this to happen under my nose was that the email notifications I should have gotten were deleted. So one thing I have done was to start using Domain Monitor and having it notify an alternate email address of changes.
I’ve also enabled GoDaddy’s Domain Protection. css-tricks.com is now about as protected as can be. Nobody, including myself, can transfer the domain. The only way it’s possible to transfer is to cancel the service, and part of that process is legally proving my identity with official documents.
So yes, I’m going to keep css-tricks.com on GoDaddy. They were the folks that were with me during all of this and now, especially with the protected registration, I feel secure there.
How are the other people doing?
It’s mostly good news. There are only three unresolved cases that I know of.
- The worst of which is Soh Tanaka’s sohtanaka.com. Soh needs 1and1 to start being responsive and cooperative and accept the domain back from PlanetDomain who is ready to give it back. Soh’s site has been offline for days which is super uncool.
- A similar situation is Ali A.’s shiachat.com. Ali needs 1and1’s cooperation but doesn’t have it. At least Ali’s nameservers are pointed to the correct place.
- Kirupa Chinnathambi is waiting for Network Solutions to get rolling on getting kirupa.com back to him. Apparently the two companies are talking though.
I’m also quite sure that each of you helped. The community outpouring of support got the attention of the companies involved and surely expedited things. css-tricks.com is now safe. I’m very grateful for that. Now back to your regularly scheduled programming. There are many more articles and screencasts to come!