3rd Party Risk Management , Breach Notification , Cybercrime

Web Hoster Epik's Breach Exposes 15 Million Email Addresses

Scraped Whois Information Leaked by Anonymous in Reprisal for Alt-Right Site Hosting
Web Hoster Epik's Breach Exposes 15 Million Email Addresses
Anonymous "press release" announcing the Epik data breach

More than 15 million email addresses and accompanying personal details have been leaked online under the banner of Anonymous.

See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR

All of the leaked information allegedly comes from Epik, a Bellevue, Washington-based domain name registrar and web hosting service that was targeted by the Anonymous hacktivist collective last week. The leaked information, comprising 180GB of data, includes not just information on Epik's own customers and systems, but also details for millions of other individuals and organizations who had their information scraped via "Whois" queries from domain name registrars, according to the free breach-notification service Have I Been Pwned, which received a set of the exposed data.

"The data included over 15 million unique email addresses (including anonymized versions for domain privacy), names, phone numbers, physical addresses, purchases and passwords stored in various formats," according to Have I Been Pwned.

The service, maintained by Australian developer Troy Hunt, lets users sign up with an email address, then contacts them whenever that address appears in a dump of breached data. Hunt queried users last week as to whether he should load the information that had been scraped from Whois into Have I Been Pwned, and the vast majority of respondents requested that he do so.

Epik, which was founded in 2009 by current CEO Rob Monster, has provided hosting services for a number of far-right sites, including the Texas GOP, Parler, 8chan, Gab and BitChute.

Epik markets itself as being the "Swiss bank of domains," by providing "all registrants access to state-of-the-art domain security" with "integrated Whois privacy services" being "provided at no cost to registrants."

Due to the breach, however, customers who expected their identity to be kept secret may be in for a surprise.

The "press release" put out by one or more individuals operating under the banner of Official Anonymous, who bill themselves as being "hackers on estradiol," say they leaked "a decade's worth of data from the company," amounting to gigabytes of data that include "account credentials for all Epik customers, hosting, Anonymize VPN, and so on," as well as for various Epik systems, servers, GoDaddy passwords and more, which it claims were largely being stored in plaintext, although some were hashed, albeit as easy-to-crack, unsalted MD5 hashes.

Why Epik Was Targeted

News of the breach was first reported on Sept. 13, via Twitter, by independent Texas journalist Steven Monacelli, who posted a release from Anonymous detailing attackers' motivations for hitting Epik, as part of its "#OperationJane" efforts.

The targeting of Epik appears to center on it providing hosting services for the Texas GOP website and other groups associated with the controversial new Texas abortion law known as Senate Bill 8, aka the "Heartbeat Act."

Anonymous press release announcing the Epik breach (Source: archived copy; click to enlarge)

The law, which came into effect on Sept. 1, prohibits abortion after six weeks of pregnancy. It also gives state residents the ability to sue anyone who violates or helps others to violate the law.

Anonymous reportedly leaked the data on Tuesday, after which after which the data quickly began circulating via BitTorrent links.

Epik didn't immediately respond to a request for comment. But the company had previously denied finding any evidence that it had been breached. "We are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation," an Epik representative told Ars Technica.

In response, Anonymous altered Epik's knowledge base to read in part: "On September 13, 2021, a group of kids calling themselves 'Anonymous', whom we've never heard of, said they manage[d] to get a hold of, well, honestly, all our data, and then released it," according to an archived copy of the altered page. "They claim it included all the user data. All of it. All usernames, passwords, e-mails, support queries, breaching all anonymization service[s] we have. Of course it's not true. We're not so stupid we'd allow that to happen."

The page, which has since been removed by Epik, ended with Anonymous noting: "We did write this ourselves, this is obviously not part of the hacked account."

Texas GOP Rick-Rolled

On Sept. 11, Anonymous altered the Texas GOP website, changing its slogan from "Help Keep Texas Red" to "Texas: Taking Voices from Women to promote theocratic erosion of church/state barriers," as Daily Dot reported.

A button to donate to Planned Parenthood was also added to the homepage, as was a YouTube link to Rick Astley's "Never Gonna Give You Up."

The Texas GOP website has since been restored, with a statement acknowledging that it had been defaced. "We have been able to secure our website, but make no mistake, threats and attacks like this only strengthen our resolve," it says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.