A Breach of Epic Proportions

"Who is Epik?" Many website owners have been wondering since they got a notification last week from the data breach tracking service HaveIBeenPwned (HIBP). What happened was that Epik's massive database containing very detailed information linked to millions of accounts had been leaked. Strikingly, not everyone affected had any relation with Epik.

First off, Epik is an organization that provides domain name registration and web hosting. This means that they are one of the places other companies go to in order to register a unique domain name on the Internet and that they may keep and manage these companies' websites on a server. On September 13, independent Journalist Steven Monacelli tweeted a press release by Anonymous that was posted on a website dedicated to what they called "Operation EPIK FAIL." Anonymous claimed that they were able to obtain a "decade's worth of data from the company."

On September 14, when interrogated by The Record, among others, Epik's spokesperson said that they were "not aware of any breach." The following day, however, the company finally tweeted, confirming that it had been hacked. That day, users got a vague email from the CEO acknowledging a "security incident."

Now, why did Anonymous target Epik? The evidence shows that the hacktivist group had been motivated due to the fact that Epik has been hosting websites where hate-fueled content thrives, some of which had been deplatformed by other mainstream hosts. As evidenced by investigative reporter Michael Edison Hayden, Epik's reputation has to do, in part, with its founder and CEO Robert Monster rubbing elbows with controversial figures. Some of Epik's controversial clients have included the Republican Party of Texas, Parler, Gab and 8chan.

According to the description of the hack, Anonymous leaked 180 gigabytes of data, including account credentials, domain purchases and payment history. In the notice sent to its users, Epik told them to look out for "unusual activity" involving their "credit card numbers, registered names, user names, emails, and passwords." The admin of a Twitter account dedicated to the hack asserted that the leaked database is global, containing information of users from various countries, not only from the U.S. This tweet also informed that the website owners' physical addresses and phone numbers were among the leaked data. How much more specific could it be?

A compressed version of the torrent used to download Epik's database was made readily available to everyone. The Daily Dot downloaded the data and contacted several individuals listed as running various controversial websites. They confirmed that the information listed in the breach was accurate. The Daily Dot also talked to an engineer who conducted an impact assessment for one of Epik's users. He said that "with all the data in the leak […​] any attacker could easily take over the websites of countless Epik customers."

The official information about the breach posted in HIBP indicates that more than 15M accounts were compromised. We mentioned that many people who are not Epik's clients were pwned too. Even HIBP founder, Troy Hunt, tweeted that he is among the people whose information was leaked. He researched the situation and concluded that Epik had been data-scraping, that is, extracting and harvesting information from people and organizations who own website domains, even those who are not its customers. Troy informed that Epik scraped this information from the global database of domain holders called WHOIS directory. This is a public directory, meaning the information held there is searchable and available for all to see, in case there's any need to contact a domain owner.

But if WHOIS records can be seen and scraped by anyone, then why are people who were not Epik's customers so preoccupied? Reportedly, these people are concerned that they could be falsely linked with Epik's controversial background. We would also argue that malicious hackers may use the leaked information to try to scam website owners through social engineering tactics.

Another issue is why they were scraping all these data in the first place. The possibility has been suggested that Epik saw the database as a source of potential customers and wanted to pitch them for business. Epik also appeared to be holding on to this database for a long time. Ars Technica took a look at the data and they "noticed WHOIS records for some domains were dated and contained incorrect information about domain owners—people who no longer own these assets." It's not the first time that breaches show that some organizations hold on to the personal information of unsuspecting individuals. There was the case of Apollo, a data aggregator and analytics service. As reported by WIRED, security researcher Vinny Troia discovered that Apollo contained more than 200M contact listings at the time of its data leak in summer 2018. Furthermore, Hunt said about this breach that more than 100M people had their data leaked and they didn't even know about Apollo's existence.

According to TechCrunch, security researcher Corben Leo had warned Epik about a security vulnerability as early as January. Monster acknowledged that he received the warning message, but he didn't tell whether or not he acted on it. Apparently, Anonymous could have actually hacked Epik months ago, in February, as suggested by the date of the most recent files in the leaked database.

These final pieces of information remind us of the importance of watching out for vulnerabilities to prevent data breaches. We at Fluid Attacks use comprehensive Continuous Hacking to detect your systems' vulnerabilities before someone else does. Contact us!