The Internet Corporation for Assigned Names and Numbers (ICANN) recently acknowledged that it was hit in late November 2014 by a spear phishing attack, which targeted ICANN staff members with emails that appeared to come from an icann.org address.
The phishing attack successfully compromised several ICANN staff members' email credentials, which were then used to breach other ICANN systems, including the Centralized Zone Data System (CZDS), the ICANN Governmental Advisory Committee (GAC) Wiki, the ICANN Blog, and the ICANN WHOIS information portal.
Most importantly, the attacker gained administrative access to all files in the CZDS, including copies of the zone files in the system as well as users' names, mailing addresses, email addresses, fax numbers, phone numbers, user names and hashed passwords.
Still, there is some good news -- ICANN spokesman Brad White told the Washington Post that the Internet Assigned Numbers Authority (IANA) was not impacted. "At this point, we have confirmed that the attack has not affected the IANA-related systems," he said. "They are separate systems with additional layers of security that were not breached."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
In response to the breach, ICANN is notifying all CZDS users whose personal information may have been compromised, and has reset all CZDS passwords.
"We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password," ICANN said in a statement.
"Earlier this year, ICANN began a program of security enhancements in order to strengthen information security for all ICANN systems," the statement added. "We believe these enhancements helped limit the unauthorized access obtained in the attack. Since discovering the attack, we have implemented additional security measures."
"All user passwords have been reset, and should the attackers act on the stolen salted hashes, hopefully users will not have reused passwords from other websites," Reguly said. "It is, of course, advisable that users of the Centralized Zone Data System reset their passwords if they were reused elsewhere."
"While the zone file copies contain useful information, much of that information will be available via other means, limiting the impact that any data exfiltration may have," Reguly added.
It's not yet clear who the attackers were, or what their motivation was.