Web.com and two domain name providers it owns, NetworkSolutions.com and Register.com, suffered a security breach that experts say opens the door to hackers commandeering websites to steal customer information.
Domain name registrars, a vital cog in Internet infrastructure, reserve domain names and assign unique IP addresses on behalf of their customers.
The Web.com breach, which was first reported by Krebs on Security, happened in August, it but wasn’t detected into earlier this month, according to a notice from Web.com.
The breached information “includes contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder,” according to the company. Web.com says it does not believe passwords or credit card information were accessed, however it is requiring its estimated 8.7 million customers to reset their passwords the next time they log on.
While the password reset could be merely a precaution, Bob Rudis, chief security data scientist at Rapid7, says it’s unusual if the company insists that passwords were not compromised.
“Anyone that uses these organizations should be really concerned. Double check your records,” he says.
Shuman Ghosemajumder, chief technology officer at Shape Security, tells Fortune that a breach like this is essentially exposing “the keys to your kingdom” for those operating a website.
“If an attacker has control over how your domain name is set up, they can impersonate you or your company, and redirect your real users to whatever site they want, in a way that most security controls cannot detect,” he says.
For instance, hackers could redirect users or employees to phishing sites that look just like a legitimate website’s login page and trick them into sharing their usernames and passwords. Or they could divert users to a page that may show content that would embarrass a company, Ghosemajumder says.
A domain breach became a real-life nightmare for a Brazilian bank and its customers in 2016. Hackers tricked customers into entering their login credentials on dummy websites that looked legitimate and also placed malware on their devices, according to researchers from Kaspersky Labs. Another domain hack happened last April when hackers breached ICS-Forth, the domain registrar in Greece that controls .gr and .el domain names, leading to customers having to reset their passwords.
The threat was enough for the Department of Homeland Security to issue a warning in January about domain hijacking campaigns and to encourage people domain owners to use multi-factor authentication, which requires a website administrator to use at least two passwords—including a code sent to their phone or email accounts—before they can log into a site.
It’s a threat that is only becoming more pervasive, Rudis says.
“Over the course of the past three or four years, there have been a number of successful attacks against domain name registrars,” he says. “Once they (hackers) are in, they can do lots of things.”
More must-read stories from Fortune:
—AT&T’s CEO appeased activist investor Elliott Management
—The wireless industry needs more airwaves, but it’s going to be costly
—Spotify’s way to convert free users to paying customers: even more freebies
—Apple looks ahead to augmented reality
—Lyft tries again with monthly memberships. Here’s how much it costs
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.
