Epik has now confirmed that an “unauthorized intrusion” did actually happen into its methods. The announcement follows final week’s incident of hacktivist collective Anonymous leaking 180 GB of knowledge stolen from on-line service supplier Epik. To mock the corporate’s preliminary response to the information breach claims, Anonymous had altered Epik’s official knowledge base, as reported by Ars.
Epik is a site registrar and internet providers supplier identified to serve right-wing shoppers, a few of which have been turned down by extra mainstream IT suppliers because of the objectionable and typically illicit content material hosted by the shoppers. Epik’s shoppers have included the Texas GOP, Parler, Gab, and 8chan, amongst others.
Epik hack impacts thousands and thousands of non-customers, too
Turns out, the leaked knowledge dump accommodates 15,003,961 electronic mail addresses belonging to each Epik’s prospects and non-customers, and never everyone seems to be happy with the information. This occurred as Epik had scraped WHOIS data of domains, even these not owned by the corporate, and saved these data. In doing so, the contact info of those that have by no means transacted with Epik straight was additionally retained in Epik’s methods.
Data breach monitoring service HaveIBeenPwned has now begun sending out alerts to their subscribers whose electronic mail addresses have been uncovered within the Epik hack. The service’s founder, Troy Hunt, is without doubt one of the many impacted by the information breach however who “had absolutely nothing to do with Epik.”
In a ballot final week, Hunt had requested if affected customers who weren’t Epik prospects most popular receiving breach alerts as effectively. The majority of customers responded affirmatively to the query.
Processing the Epik breach and there is *heaps* of electronic mail addresses taken from different locations, for instance saved copies of WHOIS data. If your deal with is in there – even when you did not subscribe to the service – would you like @haveibeenpwned to inform you that they’ve your deal with?
— Troy Hunt (@troyhunt) September 17, 2021
“The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organisations who were not Epik customers,” states HaveIBeenPwned. “The data included over 15 million unique email addresses (including anonymised versions for domain privacy), names, phone numbers, physical addresses, purchases and passwords stored in various formats.”
Ars has seen part of the leaked whois.sql knowledge set file, roughly 16 GB in measurement, with emails, IP addresses, domains, bodily addresses, and cellphone numbers of the customers. We observed WHOIS data for some domains have been dated and contained incorrect details about area house owners—individuals who now not personal these belongings.
Prior to registering domains, area registrars require customers to supply their “WHOIS” contact info, reminiscent of electronic mail deal with, bodily deal with, and cellphone quantity. This info turns into part of the general public WHOIS listing and is searchable by anybody for contacting the area proprietor. Being public knowledge, WHOIS data could also be seen or scraped by anybody. Those preferring to not disclose their private info straight on a WHOIS listing typically depend on an organization or a private WHOIS provider to behave on their behalf. However, what has gotten the customers involved on this case is that the presence of their contact info in Epik’s knowledge set might falsely painting them as having a connection to Epik when there was none.
“Wonder if there is any legal recourse once can take against [Epik] for harvesting data, and keeping it longer than expected in a cache for individuals who are NOT clients, and have had 0 business dealings with them? Is there a precedent for this?” asked TapEnvy.US, a Texas-based app improvement store.
Epik confirms knowledge breach, emails impacted individuals
Epik has confirmed the breach and can also be emailing the impacted events about an “unauthorized intrusion,” in response to screenshots shared by knowledge scientist Emily Gorcenski and cybersecurity professional Adam Sculthorpe:
“As we work to confirm all related details, we are taking an approach toward maximum caution and urging customers to remain alert for any unusual activity they may observe regarding their information used for our services – this may include payment information including credit card numbers, registered names, usernames, emails, and passwords,” reads Epik’s electronic mail discover.
Although the corporate has not confirmed presently if bank card info was additionally compromised, as a warning, customers are inspired to “contact any credit card companies that you used to transact with Epik and notify them of a potential data compromise to discuss your options with them directly.”
Previously, an Epik spokesperson had informed Ars that the corporate was not conscious of any breach and was investigating the claims.
Users can examine if their knowledge has been uncovered as part of this hack at HaveIBeenPwned.com. Those whose contact info was uncovered ought to preserve an eye fixed out for any phishing emails and on-line banking scams.