Epik, the domain registrar known for hosting several large right-wing organizations, has confirmed a hack of its systems, a week after attackers branding themselves with the Anonymous hacktivist collective label said that the group had obtained and leaked gigabits of data from the hosting company, including 15 million email addresses.
“On September 15, we confirmed that certain customer-account information for our domain-related systems was accessed and downloaded by unauthorized third parties,” tweeted the company, which calls itself the “Swiss Bank of Domains” on its website. It reportedly counts 8chan, Gab, Parler, the Texas Right to Life’s abortion whistleblower website and the Texas GOP as clients, among others.
Security researchers have also tweeted copies of the firm’s data-breach notice that it sent to customers, which urges users to monitor for rogue activity involving “any of the information used for [Epik’s] services,” including credit-card numbers, registered names, email addresses, usernames and passwords.
Oh no, a breach notice, Epik has been hacked!#EpikFail pic.twitter.com/KmJsMvE6xj
— Adam Sculthorpe ➶ ➷ (@svpndotcom) September 19, 2021
According to the group of Anonymous-affiliated attackers, which issued a press release obtained by independent journalist Steven Monacelli, the hack was in retaliation for Epik’s habit of hosting questionable alt-right websites.
“This dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet,” the group said. “Time to find out who in your family secretly ran an Ivermectin horse porn fetish site, disinfo publishing outfit or yet another QAnon hellhole.”
Meanwhile, there’s evidence that non-customers were also caught up in the breach. HaveIBeenPwned’s Troy Hunt said that his information was part of the data dump, despite never transacting with Epik in any way. He looked further into the situation and determined that Epik was engaged in data-scraping.
“The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organizations who were not Epik customers,” according to Epik’s listing on HIBP. “The data included over 15 million unique email addresses (including anonymised versions for domain privacy), names, phone numbers, physical addresses, purchases and passwords stored in various formats.”
New breach: Epik had 180GB of data breached last week including 15M unique email addresses (both customers and scraped WHOIS), names, phone nums, physical addresses, purchases and passwords in various formats. 52% were already in @haveibeenpwned. More: https://t.co/ZxJDbStPht
— Have I Been Pwned (@haveibeenpwned) September 19, 2021
Epik did not immediately return a request for comment from Threatpost.
Others were able to verify the data as well. “Ars has seen a part of the leaked whois.sql data set file, roughly 16 GB in size, with emails, IP addresses, domains, physical addresses and phone numbers of the users,” reported Ars Technica. “We noticed WHOIS records for some domains were dated and contained incorrect information about domain owners – people who no longer own these assets.”
Interestingly, the Anonymous-branded group said that the information that it hacked was “barely salted by a damn thing” and may as well have been kept in plaintext. “Yep, these Russian developers they hired are actually just that bad.”
The crew claimed that it was able to obtain account credentials for Epik customers and internal systems, more than 500,000 private keys, Git repositories for Epik internal applications and “a dump of an employee’s mailbox, just because we could.”
These types of politically motivated attacks are not that uncommon, one researcher noted.
“This has happened to a lot of the right-wing outlets (Parler and Gab) because they have been brought up in record time to capitalize on current events like the election, vaccines, voting and deplatforming to be able to fundraise or get traction quickly,” said Saumitra Das, CTO and cofounder at Blue Hexagon, via email. “Unfortunately, this usually means that security takes a back seat from business pressure which can result in breaches. Usually, hacktivists are not known to be as sophisticated as nation-state groups or the big game ransomware operators, but nowadays a lot of tools and malware are for sale and can be used by anyone who is reasonably technically adept at penetrating networks.”
Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.