Update from dotDB: A former employee sent an unauthorized message to the dotDB user database, according to information we just received from the company. The incident is not related to a data leakage or a security issue; all users’ account information and passwords are well stored and encrypted.
Original article follows:
—
DotDB, operating from dotDB.com, is an online tool that provides the ability to search a massive database of domain names.
One can search for keywords, length, TLD and other parameters; dotDB returns a list of domains that match these criteria. The database includes the full spectrum of TLDs, gTLDs, and a great number of ccTLDs.
The dotDB services can be performed with or without a registered account and there are also paid options that include the use of an API. Overall, it’s a great product that can be used to generate leads, or to gauge a domain’s value based on the number of existing TLDs that match.
A few days ago, the web site was down for a few hours; when it came back, a message notified registered users to change their password:
The message noted that there was a system upgrade and all registered accounts were required to reset their passwords. From a technical standpoint, this appears to be a case where passwords were either lost or someone gained access to the database. Whether that data was encrypted or not, it’s a smart practice to reset one’s password.
Today, dotDB displays a different message, noting that a “spammer” sent out a notice that their services are being terminated:
Did a spammer send such a message to dotDB users? It seems that indeed they did, as the following email was sent and in our case it ended up in spam:
It’s evident that the “spammer” sent these emails attempting to pass off as dotDB. What is also evident is that it clearly got hold of a valid database of registered users at dotDB. We used a unique email and password specifically to register for dotDB; this raises the next question about what additional data was leaked, particularly for paid accounts.
Why was such an email sent out to the list of emails apparently leaked from dotDB? To validate these emails, of course. The sender used an email bounce-catcher service and any email that was invalid simply bounced back.
By all means change your password at dotDB and don’t use the same password across different services.
Update from dotDB: A former employee sent an unauthorized message to the dotDB user database, according to information we just received from the company. The incident is not related to a data leakage or a security issue; all users’ account information and passwords are well stored and encrypted.