We lately obtained studies of a possible safety assault vector coming by our helpdesk system, which we use to handle buyer help tickets. We instantly investigated the scenario, and whereas we found a really small risk of breaches occurring, we discovered no proof that any breaches had taken place.
We are actually taking all vital steps to shut this hole in our safety, together with disabling the login and registration of accounts in our helpdesk.
Please bear in mind that this safety hole was solely exploitable in case your Namecheap Buyer Account or Helpdesk Account passwords weren’t safe and had been used on different sources, by which it might have been uncovered and leaked on-line.
What was the menace?
Namecheap Helpdesk Accounts are linked to Namecheap Buyer Accounts. Delicate buyer data is, subsequently, typically referenced throughout help correspondence and saved within the ticket historical past.
Whereas all Namecheap Buyer Accounts have additional safety layers in-built, comparable to 2FA, these weren’t accessible for Helpdesk Accounts. This meant that fraudsters might have used compromised passwords to log in and entry help tickets, and it may need been attainable for them to entry delicate information exchanged throughout help conversations by way of tickets.
There may be additionally an possibility so as to add further contact e-mail addresses in our help system with out further validation, so a brand new e-mail might have been silently added to clients’ Helpdesk Accounts.
What about contacting Buyer Assist?
You possibly can nonetheless contact Buyer Assist by way of Live Chat and are nonetheless in a position to submit tickets — though additional correspondence might want to proceed by e-mail.
Reside Chat makes use of a very completely different system and so was not affected in any manner. This potential safety hole solely pertains to the help ticket space of Namecheap Helpdesk Accounts.
What we’re doing about it
We at all times deal with the safety of our clients as the very best precedence and thus determined to disable login and registration of accounts in our helpdesk — efficient from at this time.
We’re additionally immediately contacting clients with a couple of e-mail handle related to their Helpdesk Account to make 100% positive no fraudulent addresses have been silently added.
What must you do?
We’re immediately contacting any clients which may have been affected, so one of the best plan of action proper now could be to easily test your inbox.
Transferring ahead, please additionally ensure you have robust passwords to your Namecheap accounts — and any accounts, wherever.
Be assured that your safety is our highest precedence and we are going to proceed to analyze and assess any attainable safety breaches.
