ICANN registrar database hacked
ICANN’s database of registrar contact information has been hacked and user data has been stolen.
The organization announced this morning that the database, known as RADAR, has been taken offline while ICANN conducts a “thorough review” of its security.
ICANN said:
This action was taken as a precautionary measure after it was learned that an unauthorized party viewed data in the system. ICANN has found no evidence of any unauthorized changes to the data in the system. Although the vulnerability has been corrected, RADAR will remain offline until a thorough review of the system is completed.
Users of the system — all registrars — have had their usernames, email addresses and encrypted passwords compromised, ICANN added.
ICANN noted that it’s possible to brute-force a hashed password into plaintext, so it’s enforcing a password reset on all users, but it has no evidence of any user accounts being accessed.
RADAR users may want to think about whether they have the same username/password combinations at other sites.
RADAR is a database used by registrars in critical functions such as domain name transfers.
Registrars can use it, for example, to white-list the IP addresses of rival registrars, enabling them to execute large amounts of Whois queries that would usually be throttled.
The news follows hot on the heels of a screwup in the Centralized Zone Data Service, which enabled any new gTLD registry to view data belonging to rival registries and other CZDS users.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
Should some unauthorized domain transfers now happen? Are domainers at risk?
I don’t think that’s going to happen, no. I’m double-checking with ICANN but I don’t think this impacts registrants.
I thought ICANN was ready to ditch its ‘training wheels’, per Fadi?
Classic. ICANN requires registrars to maintain all contact and payment information for two years after ceasing to do business with a registrant.
You know what that means?
Every registrar has a big fat collection of juicy data somewhere, subject to whatever security measures the registrar may, or may not, implement.