On Wednesday, 9 April, APNIC’s automated monitoring systems notified the Secretariat that hashed authentication details for the APNIC whois maintainer and Incident Response Team (IRT) objects were inadvertently visible to four entities with whois bulk data access.
No additional personal information was exposed.
The error was rectified within 48 minutes of the notification. Within 48 hours, APNIC reset all maintainer and IRT passwords for all whois objects in the APNIC Whois Database.
APNIC continues to analyse its logs to search for any signs of whois misuse, and to date, there is no evidence of irregularities.
APNIC Members did not experience any disruption to operations, and no further action is required by APNIC resource holders.
What happened
Whois maintainer and IRT export files containing password hashes were uploaded to ftp.apnic.net. Authenticated users who have signed the APNIC acceptable use policy had access for 12 hours 38 minutes, from Tuesday, 8 April at 14:45 (UTC +10) until Wednesday, 9 April 2025 at 03:23 (UTC +10). These files were downloaded by four separate entities.
Due to a configuration error when modifying the process that uploads whois maintainer and IRT export files to ftp.apnic.net, password hashes were included in two files.
Although the strong hashing function and long random strings used make compromise extremely unlikely for most users, all exposed password hashes were reset as a precaution.
Immediate action by APNIC
The four entities that accessed the affected data were contacted on Wednesday, 9 April 2025 and asked to delete the data.
APNIC reset all maintainer and IRT passwords for all whois objects in the APNIC Whois Database on Thursday, 10 April 2025. This did not disrupt operations for APNIC Members as the vast majority use MyAPNIC to make whois changes (the password is not visible to them in this scenario).
The 36 organizations that actively make whois updates via email were contacted to manually update their passwords. APNIC reset passwords for those who had not updated them on Friday, 11 April 2025.
The remediation process was completed on Friday, 11 April 2025, and we are sharing this information now that there is no further risk to resource holders by doing so.
No further action is required by APNIC resource holders.
Changes to process as a result of the incident
A post-incident review is underway to determine where process, technology, and oversight improvements can be made to avoid similar incidents in the future.
APNIC has increased the frequency of password hash checks on ftp.apnic.net, from daily to every minute when files are modified, and every 30 minutes regardless of any changes.
APNIC is also deprecating password-based authentication for mail updates and transitioning the authorization model for maintainer and IRT objects to OAuth2 tokens, which will permanently prevent this type of password hash leak.
Any additional actions identified during the post-incident review will be prioritized and implemented in the coming weeks.
If you have any questions or concerns, our Helpdesk is ready to assist.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.