ICANN user passwords stolen in breach

Passwords and usernames have been stolen for the public website of ICANN, the nonprofit group that manages the Internet’s address system. 

The Internet Corporation for Assigned Names and Numbers announced Wednesday night that encrypted passwords, usernames and email addresses appeared to have been stolen by “unauthorized access to an external service provider.”

{mosads}The group said investigations are occurring and that the notice to users was not delayed because of a law enforcement investigation. 

It was quick to point out that no financial or operational information was stolen.

The profile accounts related to the stolen passwords contained only simple information such as public biographies and newsletter subscription preferences. The group said there is no evidence that private accounts were accessed but urged users to change their passwords. 

“Most importantly, if you have used the same password on other websites or services, you should change it immediately on those other websites or services. As a general matter, you should avoid reusing passwords across multiple sites,” the group wrote in emails to subscribers and in a note posted on its website. 

The group was the victim of a “spear phishing” attack last December that allowed hackers to gain access to ICANN’s email system and internal network. Spear phishing involves sending targeted emails that trick people into entering their passwords or other sensitive information. 

The nonprofit was set up in the late 1990s to coordinate the unique Web addresses that allow users to easily find sites online. The group is currently in helping to lead the transition away from U.S. government oversight over one aspect of the naming function, which is expected to take place sometime next year. 

This post was corrected to reflect that there was no delay in notification due to a law enforcement investigation.