On January 12 this year China’s leading search engine Baidu was hacked and showed the message “This site has been hacked by the Iranian Cyber Army”. Nobody knew what happened, but domainnamewire.com now published the complaint documents (pdf) of a case in which Baidu sues register.com because of the hack.
It turns out that register.com made some major mistakes that led to this hack. An unauthorized person claiming to be an agent of Baidu started an online chat with tech support at register.com and asked to change the email address on file for communication with Baidu. The representative of register.com then sent the imposter a security code that he had to provide. Because he of course had no access to the Baidu account he provided an incorrect code, but the register.com person did not compare the code to the one that was sent out.
Then the email address was changed from an official baidu.com address to an address that clearly does not belong to Baidu: firstname.lastname@example.org. Note that wahabi is the name of a Muslim sect, and that gmail is of course owned by Baidu-competitor Google. From then on it was easy because with this address the password could be reset and the DNS could be changed.
Shortly after that Baidu contacted register.com through an online chat, but register.com refused to help them! Baidu tried to call register.com but was not able to reach anybody. It took a full 2 hours after Baidu started to contact them before register.com started to to take action to help Baidu!
An amazing story because is shows that ignorant irresponsible people are always the weakest link. Baidu lost millions of dollars because of the outage (that lasted up to 2 days) and this was not particularly good for its reputation either, even though it was clearly not their fault. However, Baidu is not completely without fault because it should have taken more precautions to prevent this. There are more secure ways to protect people from taking control of your domain name. Baidu did not specify how much money it wants to have as compensation, but if the details are correct this might cost register.com a lot of money.
For all the details of what happened see the complaint that Baidu filed here: http://domainnamewire.com/wp-content/baidu.pdf