How ANN Was Hacked
posted on by Christopher MacdonaldAs you know, on August 7th, ANN was "hacked." Here's how it happened.
On August 7th, a hacker contacted my cell phone company to initiate the transfer of my number to a new sim-card. The hacker called 3 times, and each time they failed the security authentication. After three failures, they tried my cell phone company's online chat feature where they were able to convince a customer service representative (CSR) to make the transfer. At this time, it isn't clear to me if the CSR was negligent, or if the hackers did manage to exploit a weakness in my cellphone company's system, or my account, however the evidence currently suggests that it was a bad decision on the CSR's part that contributed to the successful hack.
Finding my phone number isn't particularly hard. It's on my business cards, it's on every e-mail I send, and it was in ANN's whois information.
With control over my cellphone number, the hackers were able to exploit “account recovery” features to gain access to one of my e-mail accounts. Of course, the e-mail account they targeted was the one used for ANN's domain registrar. Once they had my e-mail account, they were able to use it to retrieve the password for ANN's registrar account and then transfer the ANN domain to a registrar in Hong Kong.
They also used my phone number to recover the password for ANN's @Anime twitter account, delete the account, and then rename their own account to @Anime.
With control of the AnimeNewsNetwork.com domain, the hackers are now theoretically able to read any e-mail sent to e-mail addresses @ AnimeNewsNetwork.com, and we have reason to believe that they are doing this. So don't send e-mail to our old addresses.
Aside from this, the hackers never compromised our servers. They never gained access to anything on our server, no passwords, user info, or anything was compromised.
Since the hack, we've been able to regain full control of everything except for our domain name. We expect to have the domain back shortly, however we've been warned that the ICANN process can take anywhere from a few days to a few weeks.
We've also learned a few important security lessons from this. On a personal level, I've made sure that my phone carrier now maintains a higher level of security on my account, and the online access has been disabled. This is an important lesson for anyone who relies on cellphone/SMS based 2-factor authentication and/or account recovery, your cell phone might not be as secure as you assume it is.
On ANN's side, we're moving all our domain registrations to more secure domain registrars. Once we get AnimeNewsNetwork.com back, it will go to an extremely secure (and expensive) registrar that will not make domain changes without offline confirmation. Our other, secondary domains will go to a normal registrar with a good reputation for security. (Our current registrar bites; I've been with them since the '90s because they did some very cool things back then, but I let my emotional attachment to their early achievements blind me to their lack of security today.) Furthermore, among many other things, we'll be reviewing the 2-factor and, more importantly, account recovery settings for all our of ANN's accounts; they certainly won't be tied to well known phone numbers.
It's not the first time ANN has been hacked, and it probably won't be the last time. We're an online company and while we will continue to do our best to secure everything we can, someone is certainly going to discover and exploit weaknesses in the future. Every time it happens, we take steps to make sure that the same thing can't happen again, and that we can recover from it better. Hopefully no one will ever manage to pull off something of this scale again.
So here's the TL;DR version:
- ANN was “hacked” on August 7th;
- Hack was likely achieved by social engineering;
- Hackers were able to transfer our domain to a HK registrar notorious for domain theft;
- E-mails sent to addresses @ AnimeNewsNetwork.com after the hack may be read by the hackers;
- Hackers were able to take temporary control of our @Anime twitter account;
- Our servers were not compromised;
- User accounts, passwords, e-mail addresses, etc... were not compromised;
- Cell phones aren't perfect 2-Factor security.
One last thing I would like to say is, “Thank you.” Through this, we've been incredibly lucky to have the support, and indeed love of our readers and industry partners. It's actually been really amazing to see just how supportive everyone has been. Thank you.
— Christopher Macdonald, CEO of Anime News Network
this article has been modified since it was originally posted; see change history