NameCheap security issues

You may well have heard about the recent NameCheap hack. CyberVor, a group of Russian hackers, obtained username and password information from other raids (up to 1.2bn sets of info, according to this CSO article) and used it to attempt to gain access to NameCheap accounts. NameCheap is an American company that registers domain names and hosts websites. So do we, but this blog post isn’t about why you should come to us rather than them. This blog post is about something far more important.

Advice to account holders

Inevitably, after the hack attempt NameCheap rushed out a statement. It includes advice and reassurance, but also this rather eye-popping line:

Our early investigation shows that those users who use the same password for their Namecheap account that are used on other websites are the ones who are vulnerable.

No, er, surprise, Sherlock? This is one of the most basic points of maintaining the security of your information on the internet. Use different passwords for different websites, otherwise anyone who gets their mucky paws on your password for one site can really go to town on the others. As that same CSO article says:

Data breaches at websites are often a source for usernames and passwords, and hackers have long been collecting lists of credentials that they hope will unlock other Web services. Security experts advise people to not reuse passwords for this reason.

Users ignoring advice

What really shocked us was that the company actually felt the need to spell this one out. Clearly it’s prevalent practice, still, even after years of hacks and advice and company password policies. No matter how sophisticated encryption techniques and how brain-meltingly clever log-ins become, ultimately user behaviour is a massively influential factor in the security of any system. When designing the security of your company’s systems, overlook that one at your peril.