ICANN, the organisation which oversees the internet's domain name system, regulating web addresses and working with registrars around the world, has revealed that it has fallen victim to a hacker attack during which the details of users who had created profiles on the organisation's public website were exposed. Email addresses (which act as usernames for profiles on the ICANN site) and hashed passwords were "obtained by an unauthorized person" says an announcement on the organisation's website, which goes on to describe that no evidence has yet been seen that any profiles (which contain bio information, details of interests and newsletter subscriptions) have been accessed:
ICANN has reason to believe that within the last week, usernames/email addresses and encrypted passwords for profile accounts created on the ICANN.org public website were obtained by an unauthorized person. These profile accounts contain user preferences for the website, public bios, interests, newsletter subscriptions, etc. There is no evidence that any profile accounts were accessed or that any internal ICANN systems were accessed without authorization. While investigations are ongoing, the encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider. These encrypted passwords (hashes) are not easy to reverse, but as a precaution we are requiring that all users reset their passwords.
Furthermore, there is no indication that any financial information has been put at risk. Most recently ICANN has made the headlines after upsetting privacy advocates by proposing that all commercial websites should be forced to provide a direct contact address in their WHOIS record. But there is no indication that this could have been the motivation for the security breach. Indeed, it appears that the attack may not have happened on ICANN's "turf" at all, but instead at one of ICANN's partners. Fortunately, and it's important to stress this, users' passwords were not leaked as a result of the breach. Instead, hashes or checksums of users' passwords were exposed. That's an important difference, because when a password is hashed it is a one-way process. There is no easy way to transform a hash back into the original password. Unfortunately, however, malicious hackers can use rainbow tables containing pre-calculated hashes of millions of possible password combinations to see if any of them match the hashes in the databases they have stolen. What we don't know is precisely what hashing algorithm was being used for the ICANN password database, and whether it was variably salted, which can make any hacker's attempt to unlock many of the passwords impractical.
The timing of the announcement comes curiously at the same time as domain name registrar Hover announced that it too had suffered a security breach, and was resetting customer passwords as a result. Not enough information has been shared by either ICANN or Hover to confirm if the two incidents are related, so it's too early to draw a link between them, but it certainly seems a strange coincidence. But here is what we do know. If you have a profile on the ICANN website, next time you attempt to log in you will have to reset your password. Make sure that it is a complex, long password and - importantly - ensure that it is unique. Time and time again we see businesses being hacked, and the password database of one site being used to unlock innocent users' accounts on other sites. You need a unique login for each of your accounts, meaning that recycled passwords are a no-no. You should, of course, extend this beyond your online passwords. Make sure that you are not reusing passwords and PIN codes in other parts of your life, such as the passwords you might use to log into your business network, for instance. Chances are that you will very soon have so many, complex, unique passwords that you will have no chance of remembering them. That's why I recommend using a password manager to handle the practicalities of scores of different passwords. In summary, ICANN appears to be dealing with the aftermath of its security breach responsibly. It has announced that a breach has occurred, reset passwords, and advised users to ensure that they are not using the same password anywhere else. In an ideal world, of course, no organisation wants to get hacked. But if they are hacked, what is most important is what they do to inform and protect their users from further risk. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.