Skip to main content
Resources

ICANN Cybersecurity Incident Log

This cybersecurity incident log is part of the ICANN organization's commitment to transparency.

Reporting Guidelines

These guidelines describe how the ICANN org handles vulnerabilities that have the potential to exploit or threaten the security, stability, or resiliency of the ICANN org systems and services. These principles apply whether the vulnerabilities are discovered by the ICANN org or are reported by a third party.

  • Cybersecurity Transparency Guidelines [PDF, 17 KB]. In general, we will disclose major security vulnerabilities and resulting incidents that cause significant risk to the security of ICANN's systems, or to the rights and interests of data subjects, or otherwise require disclosure under applicable legal requirements.

Cybersecurity Incident Log

Announcement Date

Issue or Incident

Status

Related Information

3 June 2022 Atlassian Confluence Server and Data Center Vulnerability Closed

As we informed you on 3 June, ICANN's Engineering and Information Technology (E&IT) team became aware of a vulnerability affecting Atlassian's Confluence Server and Data Center products on 2 June. This vulnerability affected the ICANN Community Wiki, which was taken offline until E&IT could implement the patch provided by the vendor and verify the fix through a trusted third party. The Wiki is widely used by the ICANN Community and ICANN organization; therefore, it was mission-critical for E&IT to not only implement the patch, but verify its effectiveness through thorough testing.

We are pleased to inform you that the Wiki is now back online, earlier than anticipated. E&IT was able to quickly implement the patch, conduct multiple tests to ensure that the fix worked as expected, and received proof of success through using a trusted third party-provided tool. E&IT has verified that there are no indications that the Wiki was compromised as a result of the vulnerability.

18 May 2022 Unavailability of ICANN Account creation Closed

ICANN org experienced an issue with OKTA, the cloud single sign-on provider for user accounts at icann.org. This issue was the result of a software update from OKTA and outside of ICANN's control. The issue only affected those who tried to create a new ICANN Account. ICANN E&IT team has put in place a work-around that addresses the issue. During the time of the OKTA software update and ICANN E&IT implementing the work-around, 59 users were affected, some while attempting to register for ICANN74. ICANN has contacted those users and completed their registration process while offering other assistance as needed. The E&IT team is in contact with OKTA to address the root cause and continue to operate ICANN Account without the need for the work-around. This transition to the updated OKTA software release will not have an impact on ICANN Account users.

27 April 2021

Event: DDoS of NS.ICANN.ORG

Closed

ICANN was subjected to a Distributed Denial of Service (DDoS) attack targeting NS.ICANN.ORG. This event did not result in harm to the organization. It was mitigated by redirecting traffic flows through a DDoS scrubbing service.

10 September 2020

Zoom Transcription Issue

Closed

Zoom reported to ICANN org that a temporary misconfiguration in a subset of its servers, related to automated transcription services, allowed one other Zoom customer to inadvertently view the contents of a single ICANN meeting transcription. Mitigations were put in place by Zoom and confirmed effective by Zoom. Zoom has hired an independent third party to audit the event for assurance.

23 June 2020 Centralized Zone Data Service (CZDS) Issues Resolved

A CZDS user notified ICANN org of an issue in the system that allowed users with expired approvals to access zone files. After switching to daylight saving time, the misconfiguration prevented access rights from expiring. A community member also notified ICANN org that a zone file that was downloaded from CZDS was incomplete. In an effort to address the truncated zone file issue, an error was introduced that caused IP addresses and port numbers of the hidden servers (used by registry operators to share zone files with ICANN org) to become visible to those CZDS end-users that accessed the system during a four-day period. All issues have been resolved.

27 March 2020 Zoombombing Incident during LAC Readout Closed

As a result of the increasing popularly of the Zoom platform during the COVID-19 pandemic, Internet trolls are taking advantage of this current public health crisis and interrupting public Zoom calls and its screensharing feature to share offensive audio, images and video. These incidents are known as Zoombombing. In the past few weeks, several companies have been victims of these trolls. The ICANN org Global Stakeholder Engagement (GSE) Latin America and the Caribbean (LAC) Engagement team was preparing to host an ICANN67 Readout for the LAC community. The Readout was scheduled for 27 March 2020, at 0500 UTC. The readout was to be conducted via Zoom. The Zoom link was shared in advance on social media and via regional mailing lists. A password was not required to enter the Zoom session, because it was a join-up open invitation, rather than a "by-invitation-only" session. The meeting began on schedule at 0500 UTC. Evidently, some protocols were not followed in the Zoom room setup including participants were not muted by the moderator and participants could share their screens. Sometime between 0510 and 0520 UTC, two unknown participants shared inappropriate and offensive audio and one still image. The participants were ejected from the call and the moderator immediately imposed restrictions on audio and video sharing by participants. Guidelines for appropriate behavior and methods to secure the privacy of Zoom sessions have been published.  This matter is considered CLOSED.

7 Nov 2019 Pathable Software Vulnerability Closed

A vulnerability was discovered in Pathable, Inc. software, which is used in ICANN's meeting application. Pathable, Inc. published a notification explaining the vulnerability and mitigation on their website. Pathable, Inc. and ICANN completed review of the issue and found no evidence of a data compromise. ICANN has confirmed the mitigation is in place.

16 July 2019 SAP Concur Incident Closed

An external party reported a misconfiguration in the SAP Concur Travel Application related to the delegation and autocomplete features, which could lead to personal information disclosure in certain limited circumstances, such as name, title, phone number and email address. No legal risk was determined. Mitigations were put in place and confirmed effective.

12 April 2019

Community Wiki (community.icann.org) Restored

Closed

On 11 April 2019, at 1642 UTC, ICANN org took the Community Wiki (community.icann.org) offline. This step was taken as a result of the ICANN Engineering & IT observing performance issues with the service. The team immediately contacted the vendor, Atlassian Systems, which supplies the Community Wiki platform (Confluence). At 1700 UTC, Atlassian informed ICANN org that the performance issue seemed related to a vulnerability in the Confluence software. The vulnerability was noted by Atlassian on 20 March 2019. ICANN org was not directly notified of this vulnerability; however, on 25 March, public vulnerability records (called a CVE, for Common Vulnerability and Exposures) were recorded by Atlassian. The CVEs are: CVE-2019-3395 and CVE-2019-3396. Preliminary analysis by ICANN InfoSec engineers reflects that these vulnerabilities were being exploited by a Crypto-Miner. (Crypto-miner software hijacks vulnerable machines to leverage CPU horsepower for doing crypto-currency “mining” work.) It appears that this was the cause of the slow performance of the system. In an abundance of caution, the ICANN Engineering & IT team restored a backup from 11 April 2019, taken at 0400 UTC.  The restored software’s vulnerability was patched. The Community Wiki has been restored and is available to its users. Also, ICANN org is now on the Atlassian direct-notification list, so we will be immediately alerted of vulnerabilities in the future. The Engineering & IT InfoSec team is continuing to perform forensics on any potential impact on the system. If there are significant findings, we will inform you with updates. We apologize for the disruption of this service and thank you for your patience. Update 13 April 2019 at 0116 UTC: The Engineering & IT Infosec team has completed its analysis and has found no impacts on the system.

30 January 2019

Intermittent Network Issue

Closed

ICANN experienced an intermittent network issue on Monday, January 28. This issue delayed the rollout of the new CZDS for several hours. The outage was traced to a network resource constraint. We have expanded our resource to mitigate the issue. No further issues have been reported by CZDS or other services that were impacted.

9 January 2019

IMRS Statistics site (http://stats.dns.icann.org) vulnerability

Closed

An external party reported that a database schema could be discovered (read only) through an SQL injection vulnerability. The issue affected only the public facing presentation of the gathered DNS Statistics for the ICANN Managed Root Server.

24 October 2018

VoIP Phones Firmware Vulnerability

Closed

An external party reported that he could access and impersonate an ICANN org IP-based telephone. The issue affected two ICANN phones. The vulnerability was corrected by taking the affected phones off-line.

24 October 2018

ICANN Meeting Registration Kiosk System Vulnerability

Closed

An external party reported that the kiosk web form was accessible without authentication. So, by guessing the URL and inputting an attendee's email address, the badge information (name, company, affiliation, and region) and hotel name submitted by the individual could be viewed and edited. A software fix and new registration procedures were put into place to address the issue.

12 October 2018

Reported RADAR System Vulnerability

Closed

An external party reported a security vulnerability in its Registrar Contact Information Database (RADAR) system and it was subsequently taken offline on 2 October 2018. The vulnerability had to do with a unique second factor authentication "cookie" that RADAR users must enable to access the system. The system was taken down for maintenance shortly after the vulnerability was reported, while the engineering team implemented a software "fix." It was determined by ICANN that the vulnerability was not exploited by third parties. The system was back online on 3 October 2018 at 6:40PM UTC.

28 August 2018

DDoS on www.icann.org

Closed

Identified one page on the site receiving unusually high traffic, causing a cascading effect on the site and other ICANN web properties. Corrective action was put in place and the DDoS was mitigated. It is not certain whether this was malicious or the result of an errant configuration external to ICANN.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."