Sign up right now for email updates and get two free ebooks:

David Airey Hacked

You are likely to hear this from other blogs you read but I think it does serve as a wakeup for the rest of us. Popular web designer David Airey has had his domain stolen

As many of you know, I left for vacation last month. In hindsight, I should’ve kept this information private.

On the day I left, a hacker logged into my webhost support site and asked for the details to transfer the www.davidairey.com domain.

Ordinarily, this wouldn’t have allowed them to steal my domain, but they must also have had access to my Gmail account, from where they could verify the transfer. The passwords were different, and it’s one of those things I’d love to know how it was done.

What can you do?

  1. Do not use the same passwords for anything
  2. Always use strong, non-dictionary passwords
  3. Lock all your domains in your domain control panel to prevent transfers
  4. Use a reputable host and domain company
  5. Even on vacation check your mail 🙁

Number 4 is a tricky one because while lots of people swear by GoDaddy this is not the first time I have heard of GoDaddy allowing a domain to be swiped right under the owners nose.

Got any other tips to share?

Sign up right now for email updates and get these
two free ebooks

"Creating Killer
Flagship Content"

"Authority Alliances"

Just enter your primary email address in the form below and hit the button!

Before commenting, please read my Comments Policy - thanks!

Comments

  1. Yikes that’s a scary one. Best not to use free email accounts too.

  2. Yikes that’s a scary one. Best not to use free email accounts too.

  3. Scary indeed. David has been having a challenging year!

    Joanna

  4. Scary indeed. David has been having a challenging year!

    Joanna

  5. Wow, that’s very scary. I have different passwords for everything but this is a reminder to me to change them anyway. It’s disgusting how this sort of thing can happen.

  6. Wow, that’s very scary. I have different passwords for everything but this is a reminder to me to change them anyway. It’s disgusting how this sort of thing can happen.

  7. How alarming! And if it could happen to a savvy guy like David Airey…

    Host selection (point 4), yes, that’s always a bit of a crap-shoot, isn’t it? Even when you do your homework, there are always a lot of conflicting reviews.

    Your reminder (point 3) to lock domains is an excellent one — simple to do, but so often overlooked.

    And then there’s the strong temptation to be lazy with password selection, especially when most of us have got dozens upon dozens of logins we need to use daily. Realistically, a secure password manager (I use Clipperz) is the only practical way to use site-specific, long, randomly generated passwords, as we *know* we should (points 1 and 2).

    Point 5, ah yes, well… some of us (*ahem*) are so internet-addicted, we’d have to be stranded on a desert island in order to skip an email check! But that’s a whole different kind of problem… 😉

  8. How alarming! And if it could happen to a savvy guy like David Airey…

    Host selection (point 4), yes, that’s always a bit of a crap-shoot, isn’t it? Even when you do your homework, there are always a lot of conflicting reviews.

    Your reminder (point 3) to lock domains is an excellent one — simple to do, but so often overlooked.

    And then there’s the strong temptation to be lazy with password selection, especially when most of us have got dozens upon dozens of logins we need to use daily. Realistically, a secure password manager (I use Clipperz) is the only practical way to use site-specific, long, randomly generated passwords, as we *know* we should (points 1 and 2).

    Point 5, ah yes, well… some of us (*ahem*) are so internet-addicted, we’d have to be stranded on a desert island in order to skip an email check! But that’s a whole different kind of problem… 😉

  9. One of the joys of having your own server is that you can lock down things in a way that is difficult using hosted solutions.

    For instance, our email is locked down so we can only log-in a specific IP addresse. A pain yes, but it is more secure. Same with shell access and a few other bits.

    If your business is worth anything it is worth a dedicated server. For you guys in the US they cost peanuts too.

  10. One of the joys of having your own server is that you can lock down things in a way that is difficult using hosted solutions.

    For instance, our email is locked down so we can only log-in a specific IP addresse. A pain yes, but it is more secure. Same with shell access and a few other bits.

    If your business is worth anything it is worth a dedicated server. For you guys in the US they cost peanuts too.

  11. One way would be dont make your own password for your DNS login. If your email is pretty much safe generate a new password every time by using forgot password feature. They give out hard password which is not easy to hack.

  12. One way would be dont make your own password for your DNS login. If your email is pretty much safe generate a new password every time by using forgot password feature. They give out hard password which is not easy to hack.

  13. Hello, What a load of defeatest nonsense. If someone steals your domain name, then you make sure you get it back.

    If anyone has a problem with getting a domain name back that has been stolen, please email Brand Killer Robots at sryan@intrench.com. There is more than one way to skin a cat.

  14. Hello, What a load of defeatest nonsense. If someone steals your domain name, then you make sure you get it back.

    If anyone has a problem with getting a domain name back that has been stolen, please email Brand Killer Robots at sryan@intrench.com. There is more than one way to skin a cat.

  15. The fact that they managed to get the passwords to both David’s domain and a different password to his Gmail account makes it extra scary. Point taken.

  16. The fact that they managed to get the passwords to both David’s domain and a different password to his Gmail account makes it extra scary. Point taken.

  17. Hi Chris,

    Many thanks for bringing this to the attention of your readers. I’m certainly learning a few lessons this year.

    Just arrived back from India, and have a ton of email / comments to respond to. It’s heartening to read all the well-wishes! Thought I’d leave a little thanks here before catching some sleep.

  18. Hi Chris,

    Many thanks for bringing this to the attention of your readers. I’m certainly learning a few lessons this year.

    Just arrived back from India, and have a ton of email / comments to respond to. It’s heartening to read all the well-wishes! Thought I’d leave a little thanks here before catching some sleep.

  19. Don’t allow firefox or ie to store your passwords.

    Use firefox with the no scripts addon if you cannot tell a malicious site from a safe site. Make no scripts turn scripts off for all domains unless you 100% trust the site. (This can be problem as some safe sites can have malicious code injected if they use buggy software)

  20. Don’t allow firefox or ie to store your passwords.

    Use firefox with the no scripts addon if you cannot tell a malicious site from a safe site. Make no scripts turn scripts off for all domains unless you 100% trust the site. (This can be problem as some safe sites can have malicious code injected if they use buggy software)

  21. That’s awful. I hope the guy that stole it gets hacked in return. Especially since he is now, in essence, ‘stealing traffic’.

    Makes me want to go change all my passwords though. :S

  22. That’s awful. I hope the guy that stole it gets hacked in return. Especially since he is now, in essence, ‘stealing traffic’.

    Makes me want to go change all my passwords though. :S

  23. Tony,

    “Don’t allow Firefox or IE to store your passwords.”

    Makes a lot of sense, cheers.

  24. Tony,

    “Don’t allow Firefox or IE to store your passwords.”

    Makes a lot of sense, cheers.

  25. Also have separate email addresses for sensitive accounts. Never make those addresses public. Don’t use them for sending mails to anyone other than one service provider.

    Also your email inbox can be different than your email address.

    Bottom line: Add security by using different username/email addresses for logins.

    It’s a pain, yes. But you’ll get used to it. You will be astonished how many different logins you can remember, once you have to.

    Yours
    John

  26. Also have separate email addresses for sensitive accounts. Never make those addresses public. Don’t use them for sending mails to anyone other than one service provider.

    Also your email inbox can be different than your email address.

    Bottom line: Add security by using different username/email addresses for logins.

    It’s a pain, yes. But you’ll get used to it. You will be astonished how many different logins you can remember, once you have to.

    Yours
    John

  27. That’s a good idea, John, about the separate email addresses. Thanks.

  28. That’s a good idea, John, about the separate email addresses. Thanks.

  29. Scary! And I wasn’t using the Lock option too; thanks for sharing.

    Wish you a Happy New Year!

  30. Scary! And I wasn’t using the Lock option too; thanks for sharing.

    Wish you a Happy New Year!

  31. Dropping a keystroke logger onto any targeted PC gets yon hacker perfect access to every account and password, even those that are changed daily.

    The hacker who hijacked David Airey’s domain did it with David’s own login info. The only difference is that he wasn’t actually seated in David’s chair — just situated within his keyboard.

    You can use keystroke encryption software to spare yourself the experience. The software is free (Open Source).

    http://www.truecrypt.org/docs/?s=keyfiles

  32. Dropping a keystroke logger onto any targeted PC gets yon hacker perfect access to every account and password, even those that are changed daily.

    The hacker who hijacked David Airey’s domain did it with David’s own login info. The only difference is that he wasn’t actually seated in David’s chair — just situated within his keyboard.

    You can use keystroke encryption software to spare yourself the experience. The software is free (Open Source).

    http://www.truecrypt.org/docs/?s=keyfiles

  33. Thanks for sharing this terrible story, i have had my domain attempted to be stolen, but as it was registered with NetSol, and i have put different e-mail addressee down for the admin, ownder and technical support, i was made aware before the transfer. Maybe that is a good failsafe, multiple e-mail accounts on the registration info.

  34. Thanks for sharing this terrible story, i have had my domain attempted to be stolen, but as it was registered with NetSol, and i have put different e-mail addressee down for the admin, ownder and technical support, i was made aware before the transfer. Maybe that is a good failsafe, multiple e-mail accounts on the registration info.

  35. Scary really! I find it completely disturbing that the host so easily , without confirmation of ID gave up the Domain. The host should never have used email as “proof positive” of the client regardless of how “big” they are! Important information like that should always be made using a phone call and specific details about the person, site and so on should be asked for! It also gives them a chance to source feedback if they can, highly important if you give a damn about the business! That tech guy should be sacked IMO!

  36. Scary really! I find it completely disturbing that the host so easily , without confirmation of ID gave up the Domain. The host should never have used email as “proof positive” of the client regardless of how “big” they are! Important information like that should always be made using a phone call and specific details about the person, site and so on should be asked for! It also gives them a chance to source feedback if they can, highly important if you give a damn about the business! That tech guy should be sacked IMO!

  37. There is no substitute for education. Things are only scary when people are ignorant, weak and just waiting to be subverted.
    Truth is – unless you know how to use the Internet – perhaps you shouldn’t be using it.

    As in everything in life – there are upside and downsides.

  38. There is no substitute for education. Things are only scary when people are ignorant, weak and just waiting to be subverted.
    Truth is – unless you know how to use the Internet – perhaps you shouldn’t be using it.

    As in everything in life – there are upside and downsides.

  39. Mr Robot,

    The truth is, the best way to learn is to do. Others can only teach you so much, and there is a substitute for education. It’s called experience.

    Have a great new year.

  40. Mr Robot,

    The truth is, the best way to learn is to do. Others can only teach you so much, and there is a substitute for education. It’s called experience.

    Have a great new year.