Matthew Prince, writing on the CloudFare blog:
You purchase and manage domains through organizations known as registrars. NYTimes.com is managed by a registrar known as MelbourneIT. MelbourneIT has traditionally been known as one of the more secure registrars. In addition to the New York Times, they are also used by large web organizations including Twitter and the Huffington Post. […]
An email that MelbourneIT just sent to all its customers appears to indicate that the hackers somehow used a reseller account as part of the hack. While we are only speculating at this point, it’s possible that there was a security vulnerability in the reseller interface that allowed a privilege escalation to take over control of other MelbourneIT customers.
It’s spooky just how simple this attack apparently was. Every so often, I have to help move a client’s website or mess around with their registrar; occasionally, they have lost their domain registration details. It’s crazy what I can do simply by contacting customer support for their registrar. I wouldn’t be surprised if this were an error of the more human than technical nature.
(Also, this is yet another example of why it’s bad to put all your trust in one company.)