The forums have permanently moved to This forum will be kept around in read-only mode for archival purposes. To learn how to continue using your existing account on the new forums, check out this thread.

Page 1 of 3 123 LastLast
Results 1 to 15 of 41

Thread: Domain Has Been Stolen! (and Now It is BACK!)

  1. #1 Domain Has Been Stolen! (and Now It is BACK!)

    Hi everyone,
    Just wanted to let you all know that the domain was stolen by a hacker.

    Currently, the nameservers still point to mediatemple, but if that were to change, that would be quite bad.

    In case the domain no longer points to the correct location, my e-mail address is kirupa[at], and I'll post updates on Facebook (kirupa) and my twitter.

    This isn't isolated to just this site. You can read a full summary of other sites that were affected on css-tricks:

    I've chronicled my path to getting this issue resolved below.

    November 30th / December 1st
    I was contacted by the webmaster of who notified me and others that our domains had been stolen.

    After checking the WhoIS information, I was shocked to find out that was indeed the case.

    I immediately called Network Solutions, and they were helpful in filing a case and mentioned that they would start the process for a formal transfer dispute. They mentioned that the domain was transferred on October 24th.

    In parallel, I contacted Planet Domain, but I haven't heard back from them since.

    Separately, I also noticed that the site itself was hacked with the footer of the home page displaying a link to the hacker's site. The same link that was found in the new WHOIS information for the domain.

    With both the site and the domain having been hacked, someone having gained access to my e-mail seems the most likely case.

    December 2nd/3rd/4th
    I contacted Network Solutions a few more times, and they assured me that the process for filing the dispute is underway. Within a few business days, I will be contacted with more information on this.

    I noticed a handful of entries to a moya.server[at] in my Network Solutions account. I am assuming this is the account the intruder used to have all notifications and approvals sent to. Doing a google search on this account shows others who had their domains stolen using this address as well.

    December 4th
    Planet Domain contacted me and asked for some proof that I was indeed the original owner of the domain. I forwarded them some information from Network Solutions that will hopefully satisfy them.

    December 5th
    Planet Domain, the registrar my domain is currently with, has been extremely helpful. They've put a lock on the domain to make sure it doesn't get transferred or have the nameservers get updated.

    I contacted Network Solutions to ensure there were no holdups with sending the form (something they said they would do last week), and was floored when the person told me that he didn't believe my case. According to him, I legally authorized the transfer - despite me repeating that my e-mail address was hacked and all of this happened under the radar without me knowing about it. There were more wild accusations such as me being like someone who sold this domain for a lot of money. When I told him I could prove to you no money was transferred, he mentioned I could have donated it to a charity instead. I didn't lose my cool and tried to explain why all of these weren't true and pointed him to Slashdot (which he had never heard of, so it wasn't true according to him). In the end, he didn't believe me. We made our standard end-of-phone-call courtesies and hung up.

    Someone in their upper-tier support department left me his e-mail and phone number, and I'll contact him tomorrow. I have to admit that I was saddened by that. After having spoken to 3 really helpful representatives, having 1 that completely ruined the experience is unfortunate.

    So, the good news is that Planet Domain has placed a lock on and won't allow it to be transferred or have the nameserver information changed. The bad news is that I need to see why Network Solutions didn't mail the transfer dispute form. I'm optimistic that talking to the person who reached out to me will get that sorted out soon.

    December 6th
    My optimism proved correct. The person I spoke with this morning at Network Solutions rocked. He will be getting in touch with Planet Domain to get the transfer process started.

    December 14th
    ....and the domain is back! Thanks to everyone for the support and encouragement. More specifically, Jeffrey from Network Solutions, Christine from PlanetDomain, Chris Coyier from css-tricks who provided great up-to-date summaries, and Ali from who notified all of us.


    Great, now even Kirupa is { facebooking | twittering }

  2. #2
    WTF. Let us know if we can help!

  3. #3
    The transfer happened a couple of weeks ago according to NetworkSolutions (, and I didn't even get notified of it. Someone else whose domain was also hacked started searching out other domain names that were affected, and that person contacted me - that is how I got to find out this happened.

    It's all pretty messed up overall. Network Solutions is trying to see what they can do to get the domain transfer halted.

    Great, now even Kirupa is { facebooking | twittering }

  4. #4


    time for ?

  5. #5
    It was probably tbo. He's been complaining about the site being laggy, and has decided to take matters into his own hands with a new host.
    Proud Montanadian
    You want a toe? I can get you a toe... Hell, I can get you a toe by three o'clock this afternoon, with nail polish.

  6. #6
    haha, I wouldn't be surprised

    Great, now even Kirupa is { facebooking | twittering }

  7. #7
    The registered ID shows online on yahoo.
    and Carries the name Black Hat(with hacker mentioned),
    Also found the below link information. Not sure of its authenticity though or even the ones given above.

  8. #8
    Wow. That is insane. I hope everything works out for the best (obviously). It's probably not good for NetworkSolutions that someone can come in and hijack a domain name and NetworkSolutions doesn't even verify any changes with the current owner.

  9. #9
    According to them, the hacker changed the e-mail address on the account so that all confirmation e-mails went to a new account. Since everything is based on e-mail authentication, it seemed like a pretty easy thing to change for the hacker.

    I'm quite nervous/panicky, but Network Solutions assured me they will do their best to correct this problem!

    Great, now even Kirupa is { facebooking | twittering }

  10. #10
    Quote Originally Posted by kirupa View Post
    According to them, the hacker changed the e-mail address on the account so that all confirmation e-mails went to a new account. Since everything is based on e-mail authentication, it seemed like a pretty easy thing to change for the hacker.

    I'm quite nervous/panicky, but Network Solutions assured me they will do their best to correct this problem!
    LOL, yeah, according to them. Let's just hope it wasn't a situation where the person was able to call tech support and have them change the primary e-mail of the account (which may have been listed in your whois lookup originally). It's possible they could have taken that e-mail from the whois lookup and been like 'yeah, this e-mail doesn't exist anymore, I need it changed to [...]. Then from there they could do a password reset request and the confirmation e-mail would be sent to the new e-mail address. It's likely they could have been hacked, but it's also likely they could have had a crappy support rep that fell for that. That's what happened in 2005 with according to his PDF from ICANN:

    Well, if it happened in the last 60 days, things SHOULD be easier for you. According to the ICANN transfer policy, you can refute a transfer within 60 days of it being transferred (unless I am misunderstanding)...
    Upon denying a transfer request for any of the following reasons, the Registrar of Record must provide the Registered Name Holder and the potential Gaining Registrar with the reason for denial. The Registrar of Record may deny a transfer request only in the following specific instances:

    Evidence of fraud
    UDRP action
    Court order by a court of competent jurisdiction
    Reasonable dispute over the identity of the Registered Name Holder or Administrative Contact
    No payment for previous registration period (including credit card charge-backs) if the domain name is past its expiration date or for previous or current registration periods if the domain name has not yet expired. In all such cases, however, the domain name must be put into "Registrar Hold" status by the Registrar of Record prior to the denial of transfer.
    Express written objection to the transfer from the Transfer Contact. (e.g. - email, fax, paper document or other processes by which the Transfer Contact has expressly and voluntarily objected through opt-in means)
    A domain name was already in “lock status” provided that the Registrar provides a readily accessible and reasonable means for the Registered Name Holder to remove the lock status.
    The transfer was requested within 60 days of the creation date as shown in the registry Whois record for the domain name.
    A domain name is within 60 days (or a lesser period to be determined) after being transferred (apart from being transferred back to the original Registrar in cases where both Registrars so agree and/or where a decision in the dispute resolution process so directs). "Transferred" shall only mean that an inter-registrar transfer has occurred in accordance with the procedures of this policy.

  11. #11
    This did happen within the past 60 days (middle of October according to Network Solutions), and they have already filed a formal dispute trying to get the transfer blocked.

    Great, now even Kirupa is { facebooking | twittering }

  12. #12
    Well you know we stand behind you k-man! These fools don't know who they're messing with!

  13. #13
    Thanks lost and others

    Great, now even Kirupa is { facebooking | twittering }

  14. #14
    Hope everything goes well kirupa, damn I leave for like a couple weeks and the site gets hacked O_O
    [Insert Generic Signature Message Here]

  15. #15
    You can see some of the other sites currently this is happening to as well:

    Great, now even Kirupa is { facebooking | twittering }

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Home About Meet the Moderators Advertise

 Link to Us


Copyright 1999 - 2012