Reckless negligence
The more I think about this, the more horrified I feel about this. A business's domain, dns and email are really, really critical to them.
Think about what you can do if you can mess with an organisation's DNS. You could set up an impostor website on their genuine domain to use in a phishing attack. You could alter their MX records and intercept all their inbound email. You could point their domain to any other website of your choice. You could proxy their website and intercept all communications to and from it.
Without any statement from 123-reg on this issue we only have this article for information, but if all three million domains they hosted were vulnerable to this,the potential for compromise of sensitive data here is staggeringly enormous.
They certainly have a duty to protect customers domains and DNS as these are the keys which protect much confidential information. It also sounds like customers with 123-reg hosted email boxes were vulnerable. I'd say the Information Commissioner should be very interested in this case.
For such a fundamental basic error to have gone unnoticed smacks of a company where security isn't even on the agenda. Had the developers had any security training, had there been any internal testing or external pen testing this would surely have been picked up. So it seems reasonable to conclude none of this is going on. One might also presume then that they don't have the information to properly investigate this, to determine what other customers might have been affected.
Given how important control of domains is, to have such a lack of security amounts to reckless negligence.
There is no comment from 123-reg - they haven't informed customers, haven't replied to my email asking for assurance. Haven't even issued a statement saying the issues are resolved. Haven't warned customers to check their DNS and MX records are correct.
I would say that Nominet and the other TLD registries are to an extent culpable here too. They should be setting out minimum levels of security for domain retailers which should at minimum include an independent penetration test of their systems and ideally ISO27001 certification.
I'm left wanting to move my domains away from 123, but being unsure if anyone else in the market is actually any better.
Very, very shabby.