This report provides information on our findings and actions following a security breach investigation into RIPE NCC Access, our Single Sign-On (SSO) system, that has been ongoing since January 2024. Please note that we do not comment on individual cases.
In January 2024, we informed members about a security investigation into a compromised RIPE NCC Access account. This report provides an overview of our findings and actions taken since our last update on 10 January.
Findings
Our investigation found that leaked credentials for RIPE NCC Access accounts had been published online that were not detected during our routine monitoring. Further, brute force attempts were executed against RIPE NCC Access accounts, with eight accounts being possibly compromised through brute force attempts.
During the course of our investigation, we found that:
- The passwords of 870 accounts were identified as being publicly exposed through data breaches. This includes the 800 accounts reported in our security update in January. Prior to this investigation, our routine monitoring for publicly exposed credentials had already identified approximately half of these accounts. The passwords for these accounts had already been reset.
- 104 of these were linked to LIR accounts.
- Email addresses had been updated for 270 accounts.
- 8 accounts were possibly compromised through brute force attacks.
Two-factor authentication was not mandated for RIPE NCC Access accounts and the required password strength was too low to counter the brute force attacks.
Actions Taken
- Passwords were reset for all accounts identified in public data breaches and brute force attempts, and the account holders were notified.
- Specifically, we reset passwords on the remaining 425 accounts whose credentials were found to be publicly available through data breaches in the course of our investigation and the 8 possibly brute forced accounts.
- We verified that passwords had been reset for the credentials previously identified during routine monitoring.
- We closely monitored the resources connected to the 104 LIR accounts identified as vulnerable for suspicious activity.
- For the accounts with recently updated email addresses, we reached out to account holders to confirm whether the change was legitimate.
- We restored access to accounts after verifying the identity of the legitimate account holders.
- We checked that no unauthorised changes had taken place for the accounts that were possibly compromised through brute forcing attempts.
Security Measures Implemented
We have taken the following measures as a result of our investigation:
- Strengthened the password policy by requiring longer passwords and implemented lock-out mechanisms to protect against brute force attacks.
- Two-factor authentication for all RIPE NCC Access accounts is now mandatory.
- LIR admins can now see which users have not enabled two-factor authentication.
- We have improved our monitoring of leaked credentials.
- The process of resetting passwords for any RIPE NCC Access credentials found in public data breaches is now automated.
- It is no longer possible to change an email address linked to a RIPE NCC Access account.
Conclusion and Recommendations
In light of this security incident, we reprioritised our engineering roadmap for the first quarter of 2024, expediting the rollout of mandatory two-factor authentication. We also improved our monitoring of public data breaches to identify exposed credentials of RIPE NCC Access accounts. We are committed to improving our security, and reducing the risk of similar incidents taking place in the future. Any security measures we take can only succeed in conjunction with our members. Therefore, we further recommend that our members:
- Review which of their staff have access to their LIR accounts.
- Remove former employees or personnel who are not authorised to access the accounts.
- Follow password security best practices.
- Actively monitor public data breaches for their own credentials.