The Asia-Pacific Network Information Centre (APNIC), the organization that manages domain name information for the Asia-Pacific region, fixed on Monday an error that exposed password hashes needed to access and edit domain ownership details.

The incident came to light on October 12 this when eBay employee Chris Barcellos spotted password hashes inside downloadable Whois information.

The researcher reached out to APNIC with the issue, and the company fixed the problem by the second day.

"Although password details are hashed, there is a possibility that passwords could have been derived from the hash if a malicious actor had the right tools," said the APNIC Deputy Director General.

Passwords could have led to domain hijacking

The exposed passwords were used to protect access to two sections of Whois records, called Maintainer and IRT objects.

As the name suggests, Maintainer objects store information on people/organizations authorized to manage a domain name. Similarly, IRT objects store information on a company's Incident Response Team, the people who handle abuse reports and security incidents.

An attacker that spotted the hashed passwords inside the downloadable Whois records could have cracked the hash and then used the password to insert his own details as the domain name maintainer and effectively take over a legitimate site.

Password hashes exposed since June 2017

APNIC said the hashed passwords were accidentally included in the category of downloadable Whois information back in June 2017, during an upgrade of the APNIC Whois database.

The organization has moved on to reset all Maintainer and IRT object passwords. APNIC said it did not find any evidence of abuse because of the recent slip-up.

"APNIC apologises for any inconvenience and concern that this error has caused," the organization added today in a statement. "There are certainly lessons for APNIC after this error and we have now begun a post-incident review to determine how our processes failed and where we can improve to ensure this doesn’t happen again."

Related Articles:

Marriott Data Breach Affects 500 Million Starwood Guests

SKY Brasil Exposes 32 Million Customer Records

Facebook Photo API Bug Exposed Pics of Up to 6.8 Million Users

Taxpayer ID Numbers for 120 Million Brazilians Exposed Online

Unprotected MongoDB Exposes Scraped Profile Data of 66 Million