Two big sites have their domains compromised — and both use the same domain name registrar.
Twitter and the New York Times have apparently had their domain names compromised, and the two companies have one thing in common: they both use MelbourneIT as their domain name registrar.
As of right now, the New York Times whois record reads:
Twitter’s whois record seems to be fine when I look it up on Melbourne IT. As the domain registrar for the domain, MelbourneIT’s whois is the most up-to-date.
However, the DNS was allegedly compromised earlier today. If that’s the case, it was quickly fixed.
There’s also chatter that Huffington Post’s UK site had its domain name compromised. I can’t confirm this immediately, but it also uses Melbourne IT for its domain registration.
It baffles me that large sites like this can be put into a position where their domain names can be altered. I sure hope both of these companies have been offered two factor authentication for their registrar account — and are using it.
George Kirikos says
The registry WHOIS at Internic.net shows that Twitter.com is on VeriSign-lock (e.g. Status: serverUpdateProhibited), with a last updated date in April 2013. So, even if the registrar WHOIS was compromised, it doesn’t appear that the nameservers were ever changed (when a domain is under VeriSign-lock, it requires human intervention to unlock).
The NYTimes.com WHOIS at Internic.net does show it was updated today, though (August 27th), and is now on VeriSign lock. The WHOIS history at DomainTools doesn’t show the historical registry WHOIS, though (to know whether it was on VeriSign lock prior to today).
Donny says
George we both know that registrar lock means nothing in the real world. I’m betting that SEA now has control of melbourneit.com and with it any domain that is in their system. Actually based on their recent twitter post they are currently logged into Twitter’s account at melbourneit.com.
George Kirikos says
Donny: I said VeriSign-lock (which is a *registry-level* lock). It’s much stronger than a Registrar lock. See, for example:
http://www.circleid.com/posts/domain_registry_locking_why_not_use_it/
Donny says
George, that is the one where you have to manually contact the domain registrar. It wouldn’t stop them from changing the whois, but it would stop them from changing the DNS which is what they are doing on a lot of the domains right now.
Here’s a screenshot of them in twitter’s account from about 20 minutes ago:
https://twitter.com/Official_SEA16/status/372484705238540288/photo/1