Diigo, a social bookmarking and annotation site, is finally back online 50 hours after the domain was first hijacked. It’s an incredible story that involves crisis management, blackmail, investigative research, payoffs, a clever thief, and points to potential problems with the domain name registry system that could affect anyone with a website. Diigo’s co-founder called it a nightmare and crisis that he’d like to help other companies avoid.
Diigo has 5 million registered users. For two days this week, they couldn’t access the site. The service is both a collaborative research tool, and a social content site. TechCrunch called Diigo “a research tool that rocks”, back in 2006. I’m a big fan and started using Diigo (pronounced Dee’go) to bookmark websites after Yahoo shut down its popular bookmarking site Delicious.
What Happened To Diigo.com
This past Wednesday, I tried using Diigo’s browser bookmarklet to save a site to my library. But, it didn’t work. I went to the Diigo.com site and it got one of those junky parked domain pages that you see when you mistype a URL. My first thought was, did the site close or perhaps their domain name expire? I checked Diigo’s twitter account and learned their domain was hijacked. The twitter account directed users to an emergency announcement that was put up at diigo.net, not diigo.com.
“Dear Diigo users,
We’re terribly sorry to inform you that we’re experiencing domain hijacking, ie. someone gained access to our Yahoo domain registrar account, and illegally hijacked the domain, http://www.diigo.com. Very soon http://www.diigo.com may not be accessible to you until this issue is resolved.
But please rest assured that all our servers and user data are NOT compromised…”
The message also included a way users could help:
“Meanwhile, if you’re an avid Diigo/ twitter user, plesae (sic) help RT and speed up the recovery. Thanks!
On Friday afternoon, after 50 hours, the Diigo.com came back online.
Diigo posted an update saying:
“After an unbelieveable 48 hours roller coaster ordeal, Diigo.com is back! While all our servers and user data were completely unaffected during this time, our domain name registered through yahoo domain service (completely separated access from Diigo servers / user data) was “hijacked” for the past 2 days (no, our domain didn’t expire, but was literally stolen and illegally “transferred out”. According to Yahoo’s log, the thief even called into Yahoo and pretended to be the owner to inquire the transfer, if you can believe that!)
Simply looking-around the web shows that domain theft / hijacking has been causing a lot of disruptions and economic damage. During this ordeal, we have learned some valuable lessons to share with you all. Stay tuned after we get some much needed rest first!”
I contacted Wade Ren, Diigo’s Co-founder and Executive Chairman to get the details of what happened. He agreed to share his story in the hope that other companies will learn some valuable lessons and not have a similar crisis.
Ren told me “it’s a nightmare since it was unexpected. It was a crisis because it may damage Diigo the brand if it isn’t resolved quickly. And it was an ordeal to go begging for help and getting frustrating go-arounds.”
The Diigo team learned their site was being redirected Wednesday morning. They did a WHOIS search and learned their domain was moved from their Yahoo domains to another domain registrar called Aust Domains.
Ren called Yahoo to find out what happened. Ren says he had several calls with Yahoo over the course of 30 hours, but Yahoo staffers repeatedly told him they couldn’t do anything to help. They insisted the only option was to file a police report, which Ren knew, at best, would take a long time to get his domain back.
Ren also discovered Yahoo is not an official domain name registry operator, like GoDaddy, eNom, Tucows, and Melbourne IT. It turns out Yahoo is a domain reseller, and anyone using Yahoo Domains really uses a third party DNS registry operator. Ren’s account used Melbourne IT Ltd., based in Australia.
I discovered that Yahoo discloses this in the fine print in our Small Business Terms of Service
In section 1.3,
“Certain Services that You purchase or receive from Yahoo! may be provided by one or more third-party vendors, contractors, or affiliates selected by Yahoo! … Currently such third parties include: Melbourne IT Ltd for Yahoo! Merchant Solutions, Yahoo! Web Hosting, Yahoo! Business Email, and Yahoo! Domains customers.”
Ren discovered that the actual DNS registry operator, Melbourne IT, would need to get involved to get this resolved. After much pleading, a Yahoo staffer called Melbourne IT to help, and was told that since the domain was transferred out, there was nothing they can do.
At the same time, Ren called and sent an email to Aust Domains, where diigo.com was now registered. His email, titled “high traffic domains stolen, please help!” got a boilerplate reply from customer support saying:
“In this case, you will need to contact your domain registrar (Yahoo) to submit a complaint to Verisign (Global domain registry).
Once we receive the formal decision from Verisign, we will take the further action.”
Aust Domains and Yahoo weren’t going to help Ren get his domain back quickly. But then Ren was contacted by someone who could. The thief.
The thief, who had a yahoo email address, wanted money in exchange for Diigo to get their domain back. Ren says the thief bragged about how he had done this many times before and was very careful.
Of course, Ren in principle didn’t want to do business with a cyber blackmailer. But, he wanted to get his site back as quickly as possible for his users and didn’t want to deal with this problem much longer. He said the thief was well aware of the timing. He said the criminal knew it may still take 2 weeks for Diigo to get their site back even with the help of Yahoo, and it would be a lot quicker to pay him to get the domain back, otherwise known as blackmail.
Weighting options, Ren decided to pay the money and was given the account information at Aust Domain so Diigo could get their site back, by pointing the DNS settings back to his servers. Ren doesn’t want to disclose the exact amount of the payment, but it was in the 3-figures.
Searching the web, Ren found many cases of domain hijacking, and in one case, by the same hijacker at HowardForum.com, the thief was paid $400. You can read the timeline of that attack here.
In that case, the website owner says his registrar, GoDaddy, worked with Aust Domains to get the domain back. It took 13 days. Howard shared some of the emails he got from the thief:
Hello, I’m ready to sell that domain for 400 $. let me know if you are interested so we can talk about the transaction method.
My offer is valid for 12 hours anyway. Good luck.
I’m not looking for any trouble, You pay and I’ll provide you the info instantly after payment
The important thing is I’m the owner of this domain at this moment and after few weeks I decided to sell this domain…. you are wasting my time by asking unrelated questions.
Back to Diigo, Ren says that at the same time he was in contact with the criminal, a more senior person at Yahoo got in touch with him. This person was much more eager to help.
I sent requests via email and phone to Yahoo for comment. After 22 hours, Yahoo’s PR department told me they will look into this. I’m still awaiting their reply and will update this post with any response.
Ren says he’s learned several lessons this past week that he wants to share.
Ren isn’t sure how the thief got the account’s password. He speculates it could have happened on some public wifi network and was perhaps sold to the blackmailer. But, all the thief needed to transfer the domain was his email and password.
The thief was very careful according to Ren. He doesn’t let his target know that he’s hijacking their domain until it’s too late. The thief didn’t change his Yahoo account password. He just took actions to transfer the domain to the new registrar.
Since the thief still had access to the Yahoo account’s email, Ren suspects the thief was watching his emails and quickly deleted ones that might have warned Ren of the domain transfer. This wasn’t Ren’s main email account so he didn’t check it as often.
He says 2-step verification of logins could have prevented all this. Yahoo offers 2-step verification where “any sign-in attempt Yahoo! deems suspicious will require a second verification, either answering your account’s security question or entering a verification code we send to the mobile phone or non-Yahoo! alternate email address we have on file.”
Ren says that unfortunately, this security feature is still in beta and does not seem to work as promised. After the hijacking happened, Ren says he tested his account and was surprised to find that he could still login without the verification step. When Ren told Yahoo about this problem during the hijacking, they asked him to fill out a bug ticket to report it.
Would the domain locking featured offered by Yahoo and other registrars have helped? Ren says no, it only provides false hope. Since the thief had access to his account, the thief was simply able to turn domain locking off. And the thief was able to get the domain transfer authorization code, designed to prevent fraudulent or unauthorized transfer, because he had access to the account.
Ren says he’s learned it’s better to use a domain name registry operator, rather than a reseller.
Based on his experience, Ren says the the domain name registry system is flawed and it needs a system to freeze a domain transfer and revert the domain to its pre-transfer state, immediately after a transfer dispute is submitted, pending further investigation.
Ren makes a comparison to the online banking industry. If someone steals you financial account, you have more recourse and security since further verification steps are typically required. But even though your website might be your most business important asset, you don’t have the same protection from your domain host, and there ought to be better procedures and recourse in place to prevent this from happening.
Until that happens, criminals will still be out there taking advantage of the situation and prying on unsuspecting website owners.