The registrar APNIC, responsible for allocating IP addresses in the Asia-Pacific region, reported an incident in which a Whois SQL dump containing sensitive data and password hashes became publicly available. It is noteworthy that this is not the first leak of personal data in APNIC - in 2017, the Whois database was already in the public domain and also due to an oversight of the staff.
In the process of implementing support for the RDAP protocol, designed to replace the WHOIS protocol, APNIC employees placed an SQL dump of the database used in the Whois service in Google Cloud, but did not restrict access to it. Due to an error in the settings, the SQL dump was publicly available for three months, and this fact was revealed only on June 4, when one of the independent security researchers drew attention to this and notified the registrar about the problem.
The SQL dump contained "auth" attributes containing password hashes to modify the Maintainer and Incident Response Team (IRT) objects, as well as some sensitive information about clients that are not displayed in Whois during normal queries (usually these are additional contact details and notes about the user). In the case of password recovery, the attackers were able to change the contents of the fields with the parameters of the owners of blocks of IP addresses in Whois. The Maintainer object defines the person responsible for changing the group of records linked through the "mnt-by" attribute, and the IRT object contains the contact details of administrators who respond to problem notifications. Information about the password hashing algorithm used is not provided, but in 2017 the outdated MD5 and CRYPT-PW algorithms (8-character passwords with hashes based on the UNIX crypt function) were used for hashing.
Following the discovery of the incident, APNIC initiated a reset of passwords for objects in Whois. On the APNIC side, signs of illegitimate actions have not yet been found, but there are no guarantees that the data did not fall into the hands of intruders, since there are no full access logs to files in Google Cloud. As after the last incident, APNIC promised to conduct an audit and make changes to technological processes in order to prevent such leaks in the future.
Source: opennet.ru