Hacked ICANN data still sells for hundreds of dollars years after breach

Criminals try to get value out of breaches no matter how old. ICANN data from years ago is still popping up on the dark net.

Stolen data has no expiration date.

Three years after hackers used a spearphishing attack to successfully gain access to internal data at the Internet Corporation for Assigned Names and Numbers (ICANN), the data is still being passed around and sold on black markets for $300, complete with claims that it’s never been leaked before.

The 2014 breach allowed hackers to take ICANN’s internal emails and wiki, its administrative data files, its blog and the Whois portal. Although the stolen data is important, the attack could have been worse. ICANN, which has been the target of many cyberattacks over the years, possesses much more critical information due to its day-to-day management of top-level domains (.com, .gov, etc.), the IP address space and some server systems. The fact that nothing else slipped out is a testament to good security.

But even a little data from such an important organization has black-market value for years. Here it is being sold right now on AlphaBay:


ICANN experts said the data for sale was real but from the old breach.

It’s feasible that a more successful attack could impersonate ICANN officials or take down entire top-level domains at the highest level in the hierarchical Domain Name System of the internet. Again, none of that took place but it illustrates why ICANN is a high-value and repeated targeted for attackers.

AlphaBay, currently the largest black market on the dark net, offers an excellent window on how breached data hangs around. There is no verification method on the site, no way to find out if the stolen data being sold is either real or new except to see the data itself. Sellers may offer samples to buyers and journalists to show they are the real thing, thus establishing a reputation. In a universe of pseudonyms and loose identities, reputations are extremely valuable. An account with a high reputation, just like on eBay, can make money much more easily than low-reputation counterparts.

The seller here, who has dozens of stolen databases for sale, didn’t directly lie about the age of the data; instead, he said he didn’t know when it was hacked. The advertisement did say it was the first time it had been leaked, a claim that’s tough to directly prove or disprove in the dark net mess. Instead, it’s more of an attention-grabber than a rock-solid guarantee.


For brokers and buyers of stolen data, this is just another murky deal involving a high-profile organization. For researchers and journalists covering data breaches, the uncertainty is par for the course.

“We recently became aware that some information obtained in the spear phishing incident we announced in 2014 is being offered for sale on underground forums,” ICANN spokesperson Brad White told CyberScoop.

“Our initial assessment is that it is old data and that no new breach of our systems has occurred. The data accessed in the 2014 incident breach included usernames and hashed passwords for our Centralized Zone Data System (CZDS). Once the theft was discovered, we reset all user passwords, and urged users to do the same for any other accounts where they used the same passwords.”

Latest Podcasts