DomainTools suggests password changes after a vulnerable script leaks data

Someone used a vulnerable email tool to validate previously breached records

Network servers
Credit: Thinkstock

On Monday, DomainTools, an intelligence platform used by researchers around the globe, warned customers to change their passwords after a weekend incident correlated existing accounts with data previously exposed in some of this year’s largest data breaches.

DomainTools is a one-stop shop for IP and DNS information, as well as historical records for domains and hosting.

Researchers and journalists alike often find themselves turning to the service in order to connect the dots between a set of domains or hosting providers, or to track the origin of an IP address.

Customers of DomainTools started receiving warnings Monday, which urged them to change their passwords after someone conducted what the company is calling a "high-volume user email harvesting campaign" the previous Sunday.

The email harvesting was successful due to a vulnerable script on the DomainTools website that deals with email updates.

"To the best of our knowledge, no DomainTools customer login and password combinations were compromised by this scripting effort. However, the campaign appears to have correctly matched a few hundred current or historic DomainTools account email addresses," the DomainTools letter says.

"We encourage DomainTools account holders to change their passwords as a precautionary security measure. From our investigation it appears the actor used email addresses from prior well-known breaches and ran those against our email update process. This campaign resulted in the DomainTools website confirming the existence of a limited number of user email addresses in our membership system. From there, the attacker could conceivably attempt login/password combinations sourced from those prior data dumps such as LinkedIn or Dropbox."


Salted Hash has reached out to DomainTools in order to determine the exact number of accounts exposed. The company’s letter says the system being exploited has since been patched, and they’ve added additional monitoring to prevent abuse.

The DomainTools notice isn’t the first time the LinkedIn data breach has been tied to additional security incidents.

Over the summer, industry sources told Salted Hash they’ve seen upwards of thirty instances where an organization has been compromised due to data on LinkedIn that was exposed.

Earlier this month, Amazon reset customer passwords as a precaution after they discovered customers recycling their credentials.

Mass collections of compromised records appear on the web daily, and sometimes the public is informed about them. More often than not however, they're hoarded and traded among criminals online.

Since September, LeakedSorce has added more than 300 million records to their database, a collection that spans nearly 2.5 billion records. Another popular service, ‘Have I been pwned?’ houses nearly 2 billion records itself.

It should come as no surprise that someone would check a list of email addresses in order to determine all of the places where it’s used.

The question is - why would they be checking for valid DomainTools accounts?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.