Going to share a little update related to my security incident Monday. Going to keep it terse for now, because I still have work to do, to fully put my mind at ease, but a few things I wanted to get out there for others, and I now have secured danfinlay.com to a degree where I no longer feel threatened by some self righteous sysadmins.

The compromise was of my main danfinlay.com domain. It was a domain I'd had on the same registrar (asmallorange) since I'd first gotten it almost 20 years ago. It was a small shop, but I'd never had issues with them, so it felt very lindy. I didn't realize they sold to web.com, and I didn't realize how bad web.com security was.

co founder of @metamask . Making computers behave for us.

The domain was compromised at least a month ago, and I became aware of it because the attacker attempted (and failed) to takeover my twitter/X account (thanks 2FA!). Twitter locked down the account very well (I still don't have access, but neither does an attacker), but the DNS registrar was deceptive:

The registrar had requested many documents from me to restore the account to myself, and I provided them, and they were slow to reply. I should have nagged more, but I believed the account was at least no longer under attacker control. A month later, they conducted this FC attack, which promoted a meme coin which was used to defraud my followers of ~$150k after the rug.

At this point, the registrar requested EVEN MORE documents from me, and claimed they had stopped forwarding emails to the attacker (I later found this was also not the case). I drove around getting the docs they requested and regained control of the account on the same day (Monday), but due to issues within the registrar site, only was able to finally transfer the account to another registrar today, so I'm free of them now.

Some friends in the security community were able to freeze the attacker's stolen funds. I believe this does not mean they are recoverable, but it does mean the attacker will not profit from this attack, which is nice. Some readers of this were probably defrauded and will continue to assume the worst of me, and that sucks.

The domain that was taken over was used for many of my accounts, but none of my MetaMask related responsibilities, which were gapped to accounts that are controlled by different machines entirely, so MetaMask infrastructure was never at risk during this attack.

Anyways, I have a lot of accounts to comb through and ensure are secure now, and I won't feel perfectly happy until I've covered them all, but fortunately I have good records of this and can do a thorough pass.

By the way: Fuck DNS security. It's horrendous that one grumpy sysadmin can decide that they want to keep moving the goalpost and simultaneously give away control of your name and also deny it to you on arbitrary terms. I've been critical of DNS safety for years, and concerns around it are part of why we did not pursue a web wallet at MM years earlier (though we had working prototypes). Not your smart contract, not your terms?

Another thing: I've started to record whether sites I use allow "sign out other devices" or logs that would indicate whether other devices have gained access to an account. It's staggeringly rare. There are some security features that feel like basics but somehow are rarely part of a new app. Candidates for an ideal framework.

In a situation like this, what you really want is one place where you can rotate your keys which implicitly revokes all outstanding connections, but allows you to resume signing in as before. Happy to be building a contract account that makes that possible, and then I hope to normalize that around the web. gator.metamask.io

The registrar claimed they locked down the account, and no attacker had my domains/emails anymore, but they were wrong. They had left an email forwarder on their servers (not visible on public DNS records) to the attacker's address. That forward is how the attacker performed a password reset/login using the warpcast web interface.