APNIC resets passwords after whois credentials spill

Regional internet registry for Australia APNIC has been forced to reset all passwords for objects in its whois database after a technical error leaked hashed authentication credentials.

APNIC upgraded its whois database - which carries information about organisations and people who have been allocated internet-numbered networks, and who can alter the data published in it - in June this year. 

In the process, APNIC accidentally included hashed authentication details for the whois Maintainer and Incident Response Team (IRT) objects in the database in the downloadable data feed the registry publishes.

But the passwords were hashed with relatively weak cryptographical authentication methods such as the UNIX crypt-pw, which limits passwords to just eight characters in length. APNIC admitted there was a "possibility that passwords could have been derived from the hash if a malicious actor had the right tools".

If an attacker had cracked the hashes and obtained the passwords for the objects in the database, they could have altered whois details and temporarily re-routed IP-numbered networks from their owners.

The error was only discovered this month after security researchers from eBay's red team reported it to APNIC.

APNIC removed the passwords from the whois data feed and reset all Maintainer and IRT passwords earlier this month.

The registry continues to analyse its log files for network resource holder activity, and said it has not found evidence of any irregularities. 

There is no connection between the whois Maintainer and IRT resource objects credentials leak and MyAPNIC portal login credentials; users of the latter do not need to reset their passwords.