No Evidence to Suggest Neustar Data Compromised, Hacker Retracts Allegation
Over the past few days, a hacker claimed that he breached numerous state websites containing sensitive personal information by hacking a Neustar server containing information about domain names registered in .us, the country code top-level domain for the United States (.us TLD). Several publications reported on this, including The Hill, Softpedia and Databreaches.net.
When pressed by reporters, the hacker reversed his initial claim and issued a statement saying that he did not hack Neustar. In his statement captured on The Real Strategy, he described his earlier claims as “a mirage to troll the media.”
Neustar takes any allegation regarding a security breach with the utmost seriousness. The minute we learned about the purported hack, we activated our security incident response plan and initiated an investigation, consistent with security best practices. We have found no evidence to suggest that .us TLD data has been compromised.
While we have no comment on the hacker’s claims to have breached state government records, we want to share some key points about some of the hacker’s original claims.
The hacker claimed to have breached the Neustar FTP (File Transfer Protocol) server containing information about the .us TLD. He then asserted that he obtained from this server a “list of each and every FTP server on .us,” which included “their passwords, users, ftp, ip, hostname and domain.” Finally, he announced that this information allowed him to hack state government servers in both the .us TLD and in the .gov TLD, where he was able to download a lot of very sensitive personal information.
The reality is that Neustar simply does not have the kind of information the hacker claimed to have downloaded from our server.
As the registry operator for the .us TLD, Neustar does not interact with individuals or entities that register domain names; that is the job of a domain registrar. Registrars send Neustar limited data about registrants (domain name buyers), consisting of the domain name registered (e.g. “example.us”), the name servers that are authoritative for that domain, and the publicly available registration information known as “WHOIS data.”
Registrars do not send Neustar registrant user IDs, passwords, financial information, or any information about FTP servers associated with a registered domain – and Neustar has no visibility into that data.
Nonetheless, because the hacker claimed he had compromised an FTP server containing .us TLD information, we did look carefully at this system. Neustar, like most registry operators, makes the .us Zone File, which contains name server and other information from the WHOIS records, available on a daily basis via FTP from an FTP server. This process is consistent with most top-level domains, and more information about it is available on the .us TLD FAQ page.
A Zone File is used by the Domain Name System (DNS) to ensure that when you type a URL into your browser bar it resolves to the correct website. But state governments generally do not download the .us TLD Zone File, and the hacker’s stated method of compromise (SQL injection) would not work because our FTP servers do not run SQL at all.
Here is the bottom line.
Neustar takes every allegation of this sort very seriously and we have undertaken a thorough investigation of the facts. Neustar simply does not have the kind of information the hacker claimed to have downloaded from our servers, and we have found no evidence that .us TLD data has been compromised in any way. The hacker has since admitted on the record that he did not hack Neustar. We hope that his claim to have compromised sensitive state government information is also unfounded.
 WHOIS data for .us is available at http://www.whois.us/#/basic and can also be accessed from most registrars’ websites. WHOIS data consists of registrant contact information (name, address, email and phone number) and certain status data about the domain name (registration and expiration date, and other status information). All of this information is publicly available in WHOIS. In fact, the .us rules actually prohibit the use of so-called privacy or proxy services that permit registrants to limit distribution of their information.