Epik has now confirmed that an “unauthorized break-in” has indeed taken place in its systems. The announcement follows last week’s incident in which hacktivist collective Anonymous leaked 180 GB of data stolen from online service provider Epik. To mock the company’s initial response to the data breach claims, Anonymous had modified Epik’s official knowledge base, as reported by Ars.
Epik is a domain registrar and web service provider known to serve right-wing customers, some of which have been rejected by more mainstream IT providers due to the offensive and sometimes illegal content hosted by the customers. Epik’s customers included the Texas GOP, Parler, Gab and 8chan.
Epik hack also affects millions of non-customers
It turns out that the leaked data dump contains 15,003,961 email addresses of both Epik’s customers and non-customers, and not everyone is happy with the news. This happened when Epik scraped WHOIS records from domains, even those not owned by the company, and saved those records. In addition, the contact details of those who have never done business directly with Epik were also kept in Epik’s systems.
The data breach monitoring service HaveIBeenPwned has now started sending alerts to their subscribers whose email addresses have been exposed in the Epik hack. The service’s founder, Troy Hunt, is one of many affected by the data breach, but who “had absolutely nothing to do with Epik†
In a poll last week, Hunt had asked whether affected users who were not Epik customers also preferred to receive breach notifications. The majority of users responded in the affirmative to the question.
Processing the Epik breach and there are *lots* of email addresses coming from other places, eg stored copies of WHOIS records. If your address is there — even if you haven’t subscribed to the service — would you? @haveibeenpwned to let you know they have your address?
— Troy Hunt (@troyhunt) September 17, 2021
“The breach exposed a huge amount of data not only from Epik customers, but also WHOIS records of individuals and organizations that were not Epik customers,” HaveIBeenPwned said. “The data includes more than 15 million unique email addresses (including anonymized versions for domain privacy), names, phone numbers, physical addresses, purchases, and passwords stored in various formats.”
Ars has seen some of the leaked whois.sql dataset file, approximately 16 GB in size, containing emails, IP addresses, domains, physical addresses, and phone numbers of the users. We found that WHOIS records for some domains were dated and contained incorrect information about domain owners, people who no longer own these assets.
Before registering domains, domain registrars require users to provide their “WHOIS” contact information, such as email address, physical address, and phone number. This information becomes part of the public WHOIS directory and can be searched by anyone to contact the domain owner. Since it is public data, WHOIS records can be seen or deleted by anyone. Those who prefer not to disclose their personal information directly in a WHOIS directory often rely on a company or private WHOIS provider to act on their behalf. However, what has concerned the users in this case is that the presence of their contact details in Epik’s dataset could falsely portray them as having a connection to Epik when there was none.
“Wonder if there is any legal remedy that could ever be taken against” [Epik] to collect data and cache it for longer than expected for individuals who are NOT customers and who have not had any business dealings with them? Is there a precedent for this?” early TapEnvy.US, a Texas-based app development store.
Epik confirms data breach, emails affected people
Epik has confirmed the breach and also emails affected parties about an “unauthorized intrusion,” according to screenshots shared by data scientist Emily Gorcenski and cybersecurity expert Adam Sculthorpe†
“While we work to confirm all related details, we take an approach of maximum caution and urge clients to remain alert to any unusual activity they may observe regarding their information used for our services – this may include payment information, including credit card numbers, registered names, usernames, emails and passwords,” the email notification reads from Epik.
While the company has not confirmed at this time whether credit card information has also been compromised, as a warning, users are encouraged to “contact credit card companies you have used to transact with Epik and notify them of a potential data compromise.” to discuss your options directly with them.”
Earlier, an Epik spokesperson had told Ars that the company was not aware of a breach and was investigating the claims.
Users can check if their data has been exposed as part of this hack at HaveIBeenPwned.com. Those whose contact details have been released should watch out for phishing emails and internet banking scams.