The Asia Pacific Network Information Centre (APNIC), the internet registry for the region, has admitted it left at least a portion of its Whois SQL database, which contains sensitive information, facing the public internet for three months.
Its Deputy Director General Sanjaya revealed details of the configuration blunder late last week. He explained the error occurred when staff were performing maintenance work on APNIC’s Registration Data Access Protocol (RDAP) service, which, ironically, is set to replace Whois.
During that maintenance effort, a dump from APNIC’s Whois SQL database was copied to a Google Cloud storage bucket that Sanjaya said “was believed to be private”. It wasn’t, and APNIC only learned it was accessible to the public when an independent security researcher tipped it off to the problem on June 4. As Sanjaya put it, “a configuration error meant this bucket was actually publicly visible for a period of three months.”
“It is not known if the data was accessed, as complete log files are not available. However, initial investigations reveal no sign of suspicious update activity,” Sanjaya stated.
The Deputy DG said the file in the exposed bucket “contained hashed authentication details for APNIC whois maintainer and IRT objects, and also included some private whois objects that are not visible on APNIC’s regular public whois service”.
We’re told the hashed passwords are used to protect entries in APNIC’s Whois database so that only authorised people can make changes to records. And the IRT objects contain “contact information for an organization’s administrators responsible for receiving reports of network abuse activities”. As for the rest:
APNIC has reset passwords, advised all stakeholders whose data was at risk, apologised, and taken steps to prevent this sort of thing happening again. The organisation also pointed out that users with a MyAPNIC account have nothing to worry about, and don’t need to change their passwords, as the exposed data only concerned maintainers and a small group of other users.
Stakeholders can take some comfort from the fact that the private object data in the dump is only as recent as October 2017, and that APNIC can find no evidence that hashed passwords have been cracked and used to make mischief.
The organisation has also promised to detail the incident, and its aftermath, at its very own APNIC 52 conference in September. ®