AFRINIC became aware of a WHOIS data privacy and security issue and we wanted to share the details of the incident with you.
In the process of handling a request for support from a researcher with access to our authenticated FTP site that provides a redacted bulk WHOIS database dump file, we noticed that those who were authorised for the bulk WHOIS service could access a second file that contains information such as email addresses, phone numbers and password hashes. Upon noticing this issue, the file has since been removed from the site.
Bulk WHOIS Service
AFRINIC offers a redacted bulk WHOIS database dump through an authenticated FTP site. This dump filters email addresses, phone numbers and password hashes and it’s principally provided to support Internet operations, technical research and statistics.
Access to this FTP site is granted following a procedure that requires filling a form and it is reviewed by staff for approval.
Affected WHOIS Dump File
The publication of this file started in 2011 as part of an inter RIR collaboration to provide a global resource service (GRS).
Over the period the mechanism to share this information changed, however, due to automated processes the publication of this file continued to happen in error.
The database objects that were being published contained confidential information such as password hashes, organisation emails and phone numbers.
The potential risk in accessing password hashes includes the possibility that the plain text format can be derived. If a threat actor is able to derive the passwords, they can be able to make modifications to WHOIS database objects that are protected by a specific maintainer.
As the access to this information goes back several years, we are not in a position to determine whether this information was used to compromise the contents of the WHOIS database.
Currently, the exposed data that is at risk is as follows:
- 12,536 email addresses,
- 5,272 phone numbers, and
- 1,633 maintainers using CRYPT and/or MD5 password hashes.
This data relates to 2,281 organisations.
There have been continuous efforts to improve the security of the database. The improvements included the partial deprecation of CRYPT and MD5 authentication mechanisms that were done in November 2017. Consequently, a user could no longer create or update their maintainer(s) with a password hashed using these algorithms.
Furthermore, effective December 2020, we fully deprecated support for CRYPT and MD5 authentication mechanisms such that the passwords that are hashed by these two mechanisms would no longer work on updating other objects, except to allow an update of the maintainer object with an acceptable authentication mechanism.
After realising this data exposure we have taken further steps to completely disable support for the two authentication mechanisms.
Currently, at least 92% of the maintainers are protected using BCRYPT hashes, PGP and X-509 Certificates.
We wish to further clarify that these maintainer passwords are not to be confused with the passwords used to access the members portal.
With regards to organisation emails and phone numbers, access to such information may lead to abuse and other undesirable purposes such as unsolicited emails and phone calls other than serving the purpose of the WHOIS database.
- The file containing personal data has been removed and is thus no longer accessible to unauthorised persons.
- Support for CRYPT and MD5 has been completely disabled.
- The Data Protection Commissioner has been duly notified as per requirements of the Data Protection Act 2017
- Communication to resource holders and authenticated FTP users with access to bulk WHOIS data.
- The FTP site will be revised to ensure that the previously authorised users are validated again. Credentials will be issued for a limited period of time.
- Further system security reviews are ongoing.
We apologise for any inconvenience this may have caused.
Chief Executive Officer