Here is an excerpt from the email I received from them:
"Name.com recently discovered a security breach where customer account information including usernames, email addresses, and encrypted passwords and encrypted credit card account information may have been accessed by unauthorized individuals. It appears that the security breach was motivated by an attempt to gain information on a single, large commercial account at Name.com.
Name.com stores your credit card information using strong encryption and the private keys required to access that information are stored physically in a separate remote location that was not compromised. Therefore, we don't believe that your credit card information was accessed in a usable format. Additionally, your EPP codes (required for domain transfers) were unaffected as they are also stored separately. We have no evidence to suggest that your data has been used for fraudulent activities.
As a response to these developments, and as a precautionary measure, we are requiring that all customers reset their passwords before logging in. If you use your previous Name.com password in other online systems, we also strongly recommend that you change your password in each of those systems as well."
Based on their suggestion to change your passwords on other online services using the the same password one could assume that there is a good chance they could be decrypted. On the other hand they could just be overly cautious. In any case I agree it would be nice if they could divulge more information on the encryption strategies in use.
Passwords aren't (usually) encrypted, they're hashed. Hashing buys you time, nothing more; if an attacker has a copy of your hash you should treat your password as compromised.
Hashed was indeed what I meant. I tend to use the words interchangeably, in error. What I meant to say is the strategies in use can vary quite a bit. Are they using a salt and/or a pepper? Are they using bcrypt or the like? Based on those answers one can usually guess if its feasible to break those in a reasonable amount of time.
Sorry, reading that again I sound like a dick. I know it's a common error and I didn't mean to nitpick.
I only mention it because there's an important difference in that with hashing, it doesn't really matter as much what the strategy is, since a bad password is a bad password. Better hashing only means a lower percentage of your intermediately-secure passwords are compromised right away. Since they (should) have no way of knowing which passwords are secure, they have to treat them all as compromised even if they were storing them "right".
"Name.com recently discovered a security breach where customer account information including usernames, email addresses, and encrypted passwords and encrypted credit card account information may have been accessed by unauthorized individuals. It appears that the security breach was motivated by an attempt to gain information on a single, large commercial account at Name.com.
Name.com stores your credit card information using strong encryption and the private keys required to access that information are stored physically in a separate remote location that was not compromised. Therefore, we don't believe that your credit card information was accessed in a usable format. Additionally, your EPP codes (required for domain transfers) were unaffected as they are also stored separately. We have no evidence to suggest that your data has been used for fraudulent activities.
As a response to these developments, and as a precautionary measure, we are requiring that all customers reset their passwords before logging in. If you use your previous Name.com password in other online systems, we also strongly recommend that you change your password in each of those systems as well."
Based on their suggestion to change your passwords on other online services using the the same password one could assume that there is a good chance they could be decrypted. On the other hand they could just be overly cautious. In any case I agree it would be nice if they could divulge more information on the encryption strategies in use.