Phishing emails directed at Zoneedit customers

Mark Jeftovic (#fb)

Staff member
This alert affected both Zoneedit and easyDNS members:

Be on the lookout for a phishing email a la:

From: "Easy DNS" <>
Reply-To: mark***
Subject: , Your account was hacked!


Your account was

To change your password,
please click

The link goes to hxxp://, where EMAIL is the email address the message was delivered to.​

(Update) How it happened
Some of you may have received the spearphish to a canary address you used for Zoneedit. To be clear, there has been no compromise of the Zoneedit database or customer portal.

We had a self-hosted version of a third-party email delivery CRM (Interspire) on a stand-alone VM outside of our VPN and completely segmented from our production DB and customer platform.

That CRM suffered an unauthorized access and it still had some old easyDNS (and Zoneedit) email lists. We used this to email Zoneedit customers when we acquired them last year, so it was configured to relay out via ( This is what they used it to send the phish.

If you received this phish to a canary email address, we're sorry to tell you that canary has now been burned and you'll have to reset a new one. The good news is that CRM instance has no visibility into the customer facing database (we used to have to manually dump lists and import them into the CRM. Sometimes PITAs pay off).

That VM has been terminated and we were already in process of shifting both easyDNS and Zoneedit communications CRM into another system.

We will be even more vigilant about compartmentalizing data used in communications and not leaving stale lists hanging around.

We sincerely apologize for any alarm and/or confusion this may have caused.