suffers breach, credit card data accessed, encryption in place (phew!)

“Dear John” used to be a euphemism for the letter that an ex-girlfriend wrote to break off a relationship.

It was the sort of letter no-one really wanted to get, but such is the way of the world that many young men ended up receiving one anyway.

The modern version of a “Dear John” – the email everyone hopes to avoid but which many have experienced – comes not from your erstwhile Significant Other, but typically from your ISP, or a social network, or some other online company.

The “Dear Johns” of 2013 usually contain something like this:

Dear %CUSTOMER%, We recently discovered a security we have %ACTION% your account. You will need to %RESPONSE% next time you log in. We are sorry. Your security is %ADJECTIVE% to us. At least, it is now.

Indeed, we’ve written about a number of high-profile breaches recently, for example at online coupon site LivingSocial, and search-result tweakers

Now it’s the turn of domain registrar and web hosting company, part of the Demand Media group, to suffer a breach.

A Naked Security reader kindly sent in the “Dear Johnette” email she received from; the good news is that sounds a bit more upbeat, apparently with some justification, than many similar emails from other companies in similar straits:

We are writing to inform you of a security measure we have taken to protect the integrity of the domain names and information associated with your account. recently discovered a security breach where customer account information including usernames, email addresses, and encrypted passwords and encrypted credit card account information may have been accessed by unauthorized individuals. It appears that the security breach was motivated by an attempt to gain information on a single, large commercial account at

In particular, seems to be offering some reassurance that much of the Personally Identifiable Information (PII) stolen was exfiltrated in encrypted form: stores your credit card information using strong encryption and the private keys required to access that information are stored physically in a separate remote location that was not compromised. Therefore, we don't believe that your credit card information was accessed in a usable format. Additionally, your EPP codes (required for domain transfers) were unaffected as they are also stored separately. We have no evidence to suggest that your data has been used for fraudulent activities.

Like LivingSocial after its recent hack, is also offering this excellent generic advice:

If you use your previous password in other online systems, we also strongly recommend that you change your password in each of those systems as well.

Amen to that, but remember: don’t change shared passwords because of the breach. Change your habit of sharing passwords anyway, whether you use or not.

Here’s something could have left out, though:

Please click the link below to reset your password:

Aaargh! Did they really need to do that?

They’ve sent an email that is little different to the spams that many of us have received along the lines of “Your account {has expired, was locked, is over quota, may be investigated for piracy, has had US$100,000,000 of unclaimed lottery winnings deposited in it}, click HERE to validate.”

→ The fact that’s letter is grammatical and clearly written definitely sets it apart from many, if not most, of the phishing campaigns we have seen in recent years. But you can’t say a web link is good on that basis alone.

The problem with encouraging people to click email-borne links (which could have come from anywhere, or could point to anywhere) for anything relating to logging in or password reset is this: it softens them up to email links that end up at “enter your password” dialogs.

That plays into the hands of phishers, so please don’t do it.

Always encourage users to find their own way to your login page: that forces them to familiarise themselves with the usual sequence of pages, forms, and questions.

Lastly, if you are a web hoster or a cloud provider yourself, please remember that you don’t employ encryption as an alternative to keeping hackers out – you’re supposed to do both of them, as part of defence in depth.