Regional internet registry APNIC has suffered an embarrassing privacy incident after being alerted by a third party that it accidentally leaked details from its WHOIS database, including hashed passwords.
On October 12, Chris Barcellos from eBay’s Red Team reported to the APAC regional registry that the downloadable data was being republished on a third-party website.
That data included passwords for Maintainer and IRT objects: the former governs who can make changes to domain records while the latter contains contact info on admins responsible for receiving reports of network abuse activities.
Although passwords were hashed, APNIC admitted that there was a “possibility” that hackers with the right tools could crack the credentials.
“If that occurred, whois data could potentially be corrupted or falsified for misuse. Our investigations to date have found no evidence of this occurring,” the registry said.
“It is important to note, however, that any public misrepresentation of registry contents on whois would not result in a permanent transfer of IP resources, as the authoritative registry data is held internally by APNIC.”
As a precaution, the registry reset all Maintainer and IRT passwords.
“APNIC is continuing to analyse its logs to search for any signs of misuse as a result of this error. So far, we have found no evidence of irregularities. However, we would recommend that resource holders check the WHOIS details of their holdings to make sure that all is correct,” it added.
The incident is more of an embarrassment to APNIC than a serious risk this time around. But considering it came from a technical error which was not picked up, question marks will be raised about its internal security processes.
However, there could be a minor risk to any admins which reused passwords across multiple accounts.
“The … risk is the same with any other password breach, and the go-forward remediation is always the same – don't use the same password for multiple logins,” advised Bruce Roberts, CTO of DNS security company DomainTools.