DNS chief and wannabe master-of-the-internet ICANN pwned… again

Hashed passwords, email addresses and more exposed

ICANN says its website's user accounts have been compromised by hackers who gained access to their names, email addresses, hashed passwords, and more.

On Wednesday, the domain-name system overlord admitted its server security was breached within the past week: an "unauthorized person" obtained account records, which included harmless info such as site preferences, and newsletter subscriptions, as well as the usernames and passwords.

Anyone can create an ICANN.org account, and they're mostly used by people working in the area of internet governance – policy makers from governments and business, network techies, trade journos, and so on.

The passwords were encrypted one-way using the bcrypt algorithm. ICANN has reset people's passwords, and warns anyone who reused their ICANN.org password on other websites to change their passwords for those accounts immediately, just in case someone cracks the ICANN.org hashes.

We're told the attack did not affect any IANA systems, which operate on a separate network to ICANN's. ICANN is under contract from the US government to provide the IANA functions, which include maintaining the root of the internet's global DNS, allocating IP addresses, and assigning numbers and names to protocols that glue the 'net together. ICANN wants total control of IANA.

An ICANN spokesman told The Register the account passwords were hashed using bcrypt. "There is no evidence that any profile accounts were accessed or that any internal ICANN systems were accessed without authorization," he added.

"While investigations are ongoing, the encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider."

This is not, by a long shot, the first time ICANN has been attacked. In March, a security hole was found in the dot-word domain-name portal; in April, gTLD applicants' information was exposed; in December, hackers compromised a database of DNS information; and earlier that year, security bugs delayed the launch of the new dot-word gTLDs. Perhaps, the US government would like to take another hard look at ICANN before the California-based org takes over the DNS binding together the internet. ®




Biting the hand that feeds IT © 1998–2019