Outage - post incident review
By Allan Jardine
On 29th July 2025, the DataTables.net site had a major outage as a result of an attack. This took out the main site with its examples and documentation, the support forum, and the sub-domains, including, most importantly, the DataTables CDN.
Digging into such an event, when something has gone so wrong, is not a fun thing to do, but it is important for me to do so I can learn what I can do better in future, for you so you can understand what happened and the challenges faced, and for the community so we can try to stop this sort of thing happening in future.
Domain hijacking
Any website has a large surface which needs to be protected against hacking attempts - the application software, the HTTP server, the actual server the site resides on, DNS, and of course, the domain registration itself. The attack yesterday came on the domain name, whereby the attacker managed to move the domain out of the account I have with the domain registrar I use, into another controlled by the attacker, at which point they were able to change the name servers, pointing the domain at a different server.
To be clear, any account information you have on DataTables.net is safe - the server was never breached. The content on the DataTables server is safe. The DataTables source code is safe. Services are now all normal, but this was a major disruption for the site and anyone using its services, with some caching issues persisting at the time of writing.
So how did the attacker manage to execute this domain takeover? Around mid-June, I started receiving an extraordinary amount of email to one of my old email addresses. It was sign-ups for just about every list imaginable - three per minute, which went on continuously. I created a filter and assigned everything from that email address to a folder.
The attacker's next step was to create an account with the same registrar datatables.net is registered with and request a transfer of the domain to their account. They used an email address intentionally crafted to look like it could be mine and submitted a fake driver's license and utility bill with information that could only have been from leaked WHOIS data. The registrar accepted this as proof of identity and started the transfer process. That included sending an email to me to confirm the transfer, an email which I never saw due to the flood of emails (which it is now easy to say was the start of the attack).
At the end of a five day period with no reply from me about the transfer, the registrar defaulted to accepting the transfer and the domain was moved to a different account. At no point were any of my accounts or email compromised - the attacker managed to socially engineer the registrar into making the transfer.
... continue reading