... APNIC’s WHOIS SQL database containing hashes of administrator passwords were publicly accessible for three months.
APNIC resolved an information security incident today and I wanted to share the details here with the community in the interest of transparency.
While staff were performing maintenance work on APNIC’s RDAP service, a ‘dump’ file of the whois SQL database was copied to a Google Cloud storage ‘bucket’ that was believed to be private. However, a configuration error meant this bucket was actually publicly visible for a period of three months.
The file contained hashed authentication details for APNIC whois maintainer and IRT objects, and also included some private whois objects that are not visible on APNIC’s regular public whois service.
APNIC was alerted to the problem on 4 June by an independent security researcher. Upon confirming the problem, APNIC rectified the configuration error and removed the copy of the database.
It is not known if the data was accessed, as complete log files are not available, however initial investigations reveal no sign of suspicious update activity.
As a precaution, APNIC worked with resource holders to reset all maintainer and IRT passwords from 15 June and completed the process today. No further action is required by APNIC resource holders.
APNIC apologises for any inconvenience and concern that this incident has caused. It is clear that on this occasion APNIC has not met the information security expectations of the Members and community, nor the high standards it sets for itself.
Why were there private objects in the whois data file?
Until October 2017, when new private objects were created in the APNIC Whois Database a copy of the object would be included in audit logs. New functionality implemented in October 2017 ended this practice and as such, the private objects were only current to October 2017.
The dump file of the whois database in this incident included these audit logs.
The data contained in the private objects varies, as there were comments added by resource holders in the ‘descr’ and ‘remarks’ attributes. The review of this data has found that it predominantly consists of corporate contact details.
read more (apnic)
APNIC resolved an information security incident today and I wanted to share the details here with the community in the interest of transparency.
While staff were performing maintenance work on APNIC’s RDAP service, a ‘dump’ file of the whois SQL database was copied to a Google Cloud storage ‘bucket’ that was believed to be private. However, a configuration error meant this bucket was actually publicly visible for a period of three months.
The file contained hashed authentication details for APNIC whois maintainer and IRT objects, and also included some private whois objects that are not visible on APNIC’s regular public whois service.
APNIC was alerted to the problem on 4 June by an independent security researcher. Upon confirming the problem, APNIC rectified the configuration error and removed the copy of the database.
It is not known if the data was accessed, as complete log files are not available, however initial investigations reveal no sign of suspicious update activity.
As a precaution, APNIC worked with resource holders to reset all maintainer and IRT passwords from 15 June and completed the process today. No further action is required by APNIC resource holders.
APNIC apologises for any inconvenience and concern that this incident has caused. It is clear that on this occasion APNIC has not met the information security expectations of the Members and community, nor the high standards it sets for itself.
Why were there private objects in the whois data file?
Until October 2017, when new private objects were created in the APNIC Whois Database a copy of the object would be included in audit logs. New functionality implemented in October 2017 ended this practice and as such, the private objects were only current to October 2017.
The dump file of the whois database in this incident included these audit logs.
The data contained in the private objects varies, as there were comments added by resource holders in the ‘descr’ and ‘remarks’ attributes. The review of this data has found that it predominantly consists of corporate contact details.
read more (apnic)
