Epik has now confirmed that an “unauthorized intrusion” did in fact occur into its systems. The announcement follows last week’s incident of hacktivist collective Anonymous leaking 180 GB of data stolen from online service provider Epik. To mock the company’s initial response to the data breach claims, Anonymous had altered Epik’s official knowledge base, as reported by Ars.
Epik is a domain registrar and web services provider known to serve right-wing clients, some of which have been turned down by more mainstream IT providers due to the objectionable and sometimes illicit content hosted by the clients. Epik’s clients have included the Texas GOP, Parler, Gab, and 8chan, among others.
Epik hack impacts millions of non-customers, too
Turns out, the leaked data dump contains 15,003,961 email addresses belonging to both Epik’s customers and non-customers, and not everyone is pleased with the news. This occurred as Epik had scraped WHOIS records of domains, even those not owned by the company, and stored these records. In doing so, the contact information of those who have never transacted with Epik directly was also retained in Epik’s systems.
Data breach monitoring service HaveIBeenPwned has now begun sending out alerts to millions of email addresses exposed in the Epik hack. The service’s founder, Troy Hunt, is one of the many impacted by the data breach but who “had absolutely nothing to do with Epik.”
In a poll last week, Hunt had asked if affected users who weren’t Epik customers preferred receiving breach alerts as well. The majority of users responded affirmatively to the question.
Processing the Epik breach and there’s *lots* of email addresses taken from other places, for example stored copies of WHOIS records. If your address is in there – even if you didn’t subscribe to the service – do you want @haveibeenpwned to notify you that they have your address?
— Troy Hunt (@troyhunt) September 17, 2021
“The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organisations who were not Epik customers,” states HaveIBeenPwned. “The data included over 15 million unique email addresses (including anonymised versions for domain privacy), names, phone numbers, physical addresses, purchases and passwords stored in various formats.”
Ars has seen a part of the leaked whois.sql data set file, roughly 16 GB in size, with emails, IP addresses, domains, physical addresses, and phone numbers of the users. We noticed WHOIS records for some domains were dated and contained incorrect information about domain owners—people who no longer own these assets.
Prior to registering domains, domain registrars require users to provide their “WHOIS” contact information, such as email address, physical address, and phone number. This information becomes a part of the public WHOIS directory and is searchable by anyone for contacting the domain owner. Being public data, WHOIS records may be seen or scraped by anyone. Those who prefer not to disclose their personal information directly on a WHOIS directory often rely on a company or a private WHOIS provider to act on their behalf. However, what has gotten the users concerned in this case is that the presence of their contact information in Epik’s data set could falsely portray them as having a connection to Epik when there was none.
“Wonder if there is any legal recourse once can take against [Epik] for harvesting data, and keeping it longer than expected in a cache for individuals who are NOT clients, and have had 0 business dealings with them? Is there a precedent for this?” asked TapEnvy.US, a Texas-based app development shop.
Epik confirms data breach, emails impacted people
Epik has confirmed the breach and is also emailing the impacted parties about an “unauthorized intrusion,” according to screenshots shared by data scientist Emily Gorcenski and cybersecurity expert Adam Sculthorpe:
“As we work to confirm all related details, we are taking an approach toward maximum caution and urging customers to remain alert for any unusual activity they may observe regarding their information used for our services – this may include payment information including credit card numbers, registered names, usernames, emails, and passwords,” reads Epik’s email notice.
Although the company has not confirmed at this time if credit card information was also compromised, as a caution, users are encouraged to “contact any credit card companies that you used to transact with Epik and notify them of a potential data compromise to discuss your options with them directly.”
Previously, an Epik spokesperson had told Ars that the company was not aware of any breach and was investigating the claims.
Users whose contact information was potentially exposed as a part of this hack should keep an eye out for any phishing emails and online banking scams.