# Sep 24: Incident - attempted domain account takeover

On September 24, ether.fi experienced a security incident involving their domain registrar, Gandi.net. <br>

**Summary of the incident:**

* The team received a recovery notification from Gandi via email at 16:38 UTC
* Upon verifying SPF, DKIM and DMARC authentication records for the email, it was established an attacker attempted to use the legitimate Gandi recovery flow to gain access to etherfi’s Gandi account
* Gandi was contacted on multiple platforms. At approximately 19:30 UTC it was confirmed that ether.fi’s account had been successfully locked to prevent further tampering and the nameserver config restored. There is a comprehensive analysis of external and internal systems in progress, and as of now there are no traces of an internal breach observed.

**Prevention steps taken:**

* In weeks prior, there was an increase in exploitation of similar attack vectors observed with other protocols. We preemptively upgraded our key platforms to require hardware authentication as an authentication method
* Gandi’s monitoring systems and process, while aggressive, locked down the domain account and prevented any access to our systems, and kept our websites, apps and emails safe from the attempted attack

More details of the incident will be shared as they become available in collaboration with Gandi's team over the next two days. Thank you to the [Seal911 team](https://github.com/security-alliance/seal-911), [Doppel](https://doppel.com/), [Ethena](https://ethena.fi/) and [Distrust](https://distrust.co/) our security partner - teams that instantly responded and provided assistance as we navigated the dangerous waters today.

We’re glad to report that all funds are safe, and no opportunity was given to the attackers to present a compromised dapp on any ether.fi related domain.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://etherfi.gitbook.io/etherfi/security/sep-24-incident-attempted-domain-account-takeover.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.