DomainTools 101: The Art of Tracking Threat Actors
Blog Company Updates

Scripting attack on DomainTools accounts


Up to 500 valid DomainTools Account email addresses may have been confirmed to an individual actor exploiting a flaw in the DomainTools membership email update process. No passwords were accessed as part of this campaign, and at no time did the actor have access to DomainTools systems or network.


As a precautionary measure, we encourage DomainTools account holders to update their DomainTools password using the change password function in the Account Profile tab of their My Account page.

Potential Risks

  1. For any individual that would be damaged by external parties knowing that they hold a DomainTools account, there is the risk that these email addresses get dumped on a public or private site. We have not seen evidence of this yet but would appreciate being notified if anyone sees such activity in the wild.
  2. Because it appears the campaign was using an email list from one of the recent large-scale breaches (i.e. LinkedIn or Dropbox), and because these prior breaches leaked login/password combinations, it is possible the actor will attempt to log into some or all of the affected DomainTools accounts using the passwords sourced from these prior breaches. This is why we recommend DomainTools users change their passwords as a precautionary measure. For reference, these large scale data breaches can be researched at discovery sites such as Have I Been Pwned.
  3. The actor could conceivably send phishing emails to the affected email addresses in hopes of getting the user to compromise themselves on a fake DomainTools login page. DomainTools users should be extra vigilant in this regard. Please contact us if you receive an email that you believe to be a phishing attempt for your DomainTools credentials.


Starting Sunday morning, DomainTools experienced a high volume user email harvesting campaign which used a likely compromised account to exploit a flaw in our individual membership email update processes. This campaign resulted in the DomainTools website confirming the existence of a limited number of user email addresses in our membership system. We have strong evidence that the email list is limited to a few hundred of the over one million member accounts that have ever been created at DomainTools over the last 15 years. However, because at this time we cannot know with 100% certainty that we have identified every single affected email, we are taking the step of suggesting that all DomainTools members change their password as a precaution.

DomainTools patched the system in question on Sunday evening and also completed an initial cause and impact study. By Monday morning we had completed a more thorough incident investigation and designed a communication plan for our membership base. Those communications went out yesterday, with a follow on set this morning. Once we felt we had a thorough and accurate understanding of the situation, we wanted to give our users a chance to understand the incident and take whatever remediative action they deemed necessary. With the rapid uptake by Twitter and the press, we felt it timely to also publish this blog post to help clarify the issue for any affected parties.

We take the security and privacy of our user base very seriously. This event, while unfortunate, will serve as a great learning experience and has given us a chance to execute, review and improve our own incident response processes. If you haven’t read last week’s blog post on training, this is exactly why that matters.

Lastly, I would like to acknowledge the very many customers, partners and friends in the security industry who have reached out and offered their assistance in our ongoing investigation into this incident. If there is one positive out of this experience at DomainTools, it is a deeper appreciation for how the awesome people in our industry rally to the cause.

If we have further updates on this incident we will post them as soon as possible.