Intrusion resulted in confirmation emails sent to a “small number” of customers.
Sedo was compromised over the weekend due to a security hole.
This resulted in a number of registered Sedo users, including myself, receiving an email asking them to confirm their account. The confirmation email started:
Dear Andrew,
Thank you for becoming a Sedo member!
In order to submit your offer for you must first verify that the email you provided is a valid email address.
Sedo sent the following email to affected members today:
Dear Andrew Allemann,
We wish to inform you that on Saturday, 12th April, the Sedo website was compromised by an unknown intruder through a previously unknown security loophole. This resulted in an unauthorized email with the subject “Confirm your Sedo Account” being sent to a small number of our customers.
Our immediate investigation into the matter has shown that your email address was unfortunately one of those affected. That means that the intruder has got your email address only. NO other data has been compromised, i.e. no passwords or other account information was obtained. The security vulnerability was closed as soon as it was detected and any further unauthorized access was successfully prevented. This means that your Sedo account is safe, and you do not need to take any action to safeguard data stored in your account. Clicking on the link in the unauthorized email has no adverse effects.
If you have any questions we will be happy to help you. Please contact your account manager or visit our customer support center at http://support.sedo.com.We apologize for any inconvenience this issue may has caused.
I received 2 like this these past days.
To two different email addresses?
Same here. I received 2 for 2 different emails. One one from sedo.com and the other from sedo.co.uk going to 2 different emails/accounts I have there.
They have your, and my, name and the fact that we use Sedo. That is more than just the email address.
I am angry with them for blowing a sale for me last week with nonsense “security”, anyway. When I called them they were in chaos.
They even have my login password: the link in the email directly logged me in into my Sedo account!
I can confirm the link does log you into your own account automatically.
However, this is not an indication of any info being compromised. The hacker seems to have taken advantage of a glitch that sent out hashed links to a yet to be determined number of Sedo account holders. In other words, the link was only sent to the members en masse.
Of course, it’s time to change passwords, yet again.
Acro, do you think the hacker got access the passwords, or it was just in the email?
Either way, changing passwords makes sense.
Most likely, they only had access to a tool limited to creating and dispatching a mass email. The hashed links are ‘live’, however, so don’t share them around.
If the hacker has access to my account then the least Sedo could do is give correct information about this…
I’ve got three Sedo accounts and got an email for each, so you can be sure this wasn’t a “small number”.
I received one of the first emails from sedo.co.uk – thought it was dodgy given the Heartbleed stuff, but the links looked legit. Didn’t action it though. I’ve never received (yet) the follow up email from Sedo explaining the situation.
You can always use a company like Corporation Service Company to manage your domains. We have never been hacked and we deal with some of the largest domain portfolio’s in the world. Let me know if you want some help.
I’m curious why people have multiple Sedo accounts.