CEO of Aura Information Security, Andy Prow, speaks on the growth of cyber-attacks and the industry trying to prevent them. Video / Supplied
Register.com - one of the world's largest internet registrars - is warning people to change their password and monitor their credit card account for suspicious activity following a massive security breach.
A registrar is a company that sells and manages domains, or website addresses.
Register.com is popular with Kiwis - and millions of others worldwide - who want to get a ".com" address.
An email to Register.com customers sent this morning NZT, says the company learned on October 16 that "a third-party gained unauthorized access" in late August.
It wasn't immediately clear why it took until October 30 to notify customers, with some not emailed until this morning.
Register.com's email said the breach did not include credit card details but did include "information for current and former Register.com customers may have been accessed. This information includes contact details such as name, address, phone numbers [and] email addresses."
It was fuzzy on whether passwords were taken. A spokesperson told media, "We encrypt account passwords and do not believe this information is vulnerable as a specific result of this incident." The password resets were just an "added precautionary measure," according to the spokesperson.
The August breach involved both Register.com and its sister company Network Solutions - both of which are owned by Web.com.
Krebs on Security reported Web.com wasn't clear how long the intrusion lasted, but if the breach wasn't detected until mid-October that means the intruders potentially had about six weeks inside unnoticed. That's a long time for an adversary to wander about one's network, and plenty of time to steal a great deal more information than just names, addresses and phone numbers.
Both Network Solutions and Register.com are owned by Web.com. Network Solutions is now the world's fifth-largest domain name registrar, with almost seven million domains in its stable, according to domainstate.com; Register.com listed at 17 with 1.7 million domains.
Web.com said it has reported the incident to law enforcement and hired an outside security firm to investigate further.
Tips to keep safe
As ever, it's a good idea to use a different password for every website you access.
Earlier, Vodafone security expert Colin James said a password manager or "vault" can help - that's a bit of software that remembers and autofills all your logons. All you have to remember is one master password.
Another security expert, Ben Creet, added that if you use a relatively new computer, its operating system will protect you against viruses and malware. So if you only have a limited budget, spend it on a password manager like LastPass.
But while a password manager can work seamlessly on a PC, they can come unstuck in today's gadget-heavy world where we're often logging on a service via a phone, tablet or even watch.
Luckily, James has a couple of tricks. One will make your passwords safer, the other will make you a lot more secure.
One is to stop thinking "passwords" and start thinking "passphrases," the Vodafone expert says.
He suggests using a line from your favourite song as your passphrase. It'll be easy for you to remember, but impossible for hacker bots to guess.
His other trick: use "two-factor authentication" or "2FA" in IT-speak. That means you don't just type in a password. You also have to enter a second "factor" - mostly commonly a numerical code texted to your cellphone.
2FA can be a hassle, but many services have an option to only enable for devices outside your home or office.
James says if your device supports fingerprint or facial scan logon, that can be considered a second factor, too - because it requires you to be physically present.
