New Password Reset Policy to Enhance Account Security

At DNSimple, your account and domain security have always been among our top priorities. We continuously review and align our policies with industry best practices to ensure robust protection, and we take decisive action to address any emerging threats.

We've recently noticed an uptick in fraudulent activities, including account takeovers by malicious actors. This is typically the result of passwords that were reused and compromised by services outside of DNSimple, so we've implemented some important changes to mitigate risks and further protect your account.

Let's go over these changes, along with some best practices for securing your account and user credentials.

Explaining the fraudulent activities

In the recent fraudulent activities we encountered, attackers gained control of compromised accounts and quickly changed the login credentials to lock out the rightful owners. They then used the stored payment methods to fraudulently purchase domains or other products.

DNSimple's investigation revealed these attacks stemmed from compromised credentials. In most cases, the email and password had been exposed in data breaches on other websites not connected with DNSimple. These credentials were reused across multiple services, and none of the compromised accounts had multi-factor authentication (MFA) enabled, leaving them vulnerable.

The team helped affected customers regain access and successfully stopped the fraudulent activities, often through manual intervention. The issues have been resolved, and our new password requirements will further help keep customers' information secure and prevent future attacks.

Best practices for account security

To mitigate these risks, DNSimple introduced a new policy: users without MFA enabled must update their password every three months. Users with MFA enabled will not be affected by this requirement.

We also recommend following best practices to secure your accounts. A detailed guide is available in this support article. Here's a summary:

• Enable Multi-Factor Authentication (MFA): We support a variety of MFA mechanisms, including TOTP-based authentication, security keys, and passkeys.
• Don't share account credentials: Instead, add individual users to your account so each team member has their own login credentials.
• Enforce MFA for all account members: This ensures users with weaker credentials won't compromise the entire account.

Best practices for credentials

Strong credential management is the foundation of account security. Follow these essential rules to protect your accounts, including your DNSimple user profile:

• Avoid credential reuse: Use unique passwords for every service. Credential reuse is a major risk; if one account is compromised, others with the same credentials become vulnerable.
• Don't share credentials: Ensure every user has their own account credentials to maintain accountability and security.
• Use a password manager: A dedicated password manager (not your browser) can generate, store, and manage secure passwords for all your online and offline accounts.
• Create strong passwords: Use a mix of letters, numbers, and symbols. You'll find helpful tips in our password recommendations.
• Rotate passwords regularly: While strong passwords with MFA are more secure, it's good practice to periodically update your passwords, especially if:
  • Your credentials have been exposed.
  • Your organization updates its password policies.
  • You notice unusual activity on your accounts. DNSimple has an audit log of account activities that you can monitor to detect unauthorized activity.

Finally, monitor your credentials for potential exposure:

• Check for breaches: Use services to check if your email or credentials have been part of a breach. If they have, take immediate action. We recommend Have I Been Pwned.
• Set up breach notifications: Subscribe to alerts from Have I Been Pwned or similar services to stay informed about new breaches.
• Leverage password monitoring tools: Many password managers, like 1Password Watchtower and Proton Pass Monitor, offer breach monitoring and alerts.

Conclusion

DNSimple's new password rotation requirements have already had a positive impact in enhancing security. They've also highlighted awareness of best practices and helped many further secure their accounts. We encourage all customers to follow the best practices, and to always monitor account activity. If you ever notice any suspicious activity in your account, contact our support team immediately.

To learn more about the features DNSimple provides to protect and secure your domains, check out this post.

If you have any questions about your account security or password management, just get in touch. We'll be happy to help.

Looking for reliable, heavily redundant anycast DNS with robust security features? Give us a try free for 30 days, and experience DNSimple's best-in-class DNS and domain management.

Share on Twitter and Facebook

Simone Carletti

Italian software developer, a PADI scuba instructor and a former professional sommelier. I make awesome code and troll Anthony for fun and profit.