APNIC, the Regional Internet Address Registry, has admitted that a technical error in June landed hashed passwords of Maintainer and IRT objects in the hands of third parties.
APNIC admitted that the hashed passwords for Maintainer and IRT objects can be decoded by a malicious actor with the right decryption tools.
APNIC, the Asia-Pacific Network Information Centre, was made aware of the data breach earlier this month by Chris Barcellos from eBay’s Red Team who noticed that information from APNIC’s WHOIS database was being republished on a third party website. The said WHOIS data contained hashed authentication details for APNIC WHOIS Maintainer and IRT objects.
The registry has subsequently reset all passwords for Maintainer and IRT objects that were leaked following a technical error during the upgrade of the WHOIS database in June.
‘APNIC apologises for any inconvenience and concern that this error has caused. There are certainly lessons for APNIC after this error and we have now begun a post-incident review to determine how our processes failed and where we can improve to ensure this doesn’t happen again,’ it said.
All objects in the WHOIS database are protected by the Maintainer object and hence, anyone who can access Maintainer can make changes to other objects as well. The Incident Response Team object contains contact information for an organization’s administrators responsible for receiving reports of network abuse activities. Hence, the security of both these objects is critical to the registry’s activities.
APNIC admitted that had the hashed passwords been breached, the entire WHOIS database could be corrupted or falsified for misuse. However, the breach occurred in June and there is no confirmation if any malicious actor was indeed able to decrypt the hashed passwords.
To ensure such breaches do not occur in the future, the registry said it will not include hashes in future WHOIS data downloads.
‘APNIC is continuing to analyse its logs to search for any signs of misuse as a result of this error. So far, we have found no evidence of irregularities. However, we would recommend that resource holders check the whois details of their holdings to make sure that all is correct,’ the registry said.