The theregister.co.uk, is reporting that the theft of 300 domains hosted by 123-Reg last year.
“What appears to be a glaringly obvious security hole has been blamed for the snatching…anyone with a hosting package from 123-Reg and hence an account control panel, simply had to change the final section of the URL manually (to, for example, /someoneelseswebsite.co.uk) to be able to gain access to another site’s emails, name servers and billing.”
“”With access to the admin panel, would-be domain thieves just had to change the contact details for UK registry Nominet to a new email address and then do a failed password request to have a new password sent to the new email address, locking the original owner out”.
Nominet said that its investigations into the issue revealed that “a total of 300 domains had been transferred over to a new registrant in the post-expiry period without the permission of the original registrant”.
“We [have] terminated our registrar agreement with one registrar,” the dot-UK registry said”