15 million users' details exposed in Epik breach

15 million users' details exposed in Epik breach

Image:
15 million users' details exposed in Epik breach

Hacktivist group Anonymous claims to have stolen a 'decade's worth' of data

A data breach at domain name registrar Epik has exposed more than 15 million people's personal details online.

The firm initially denied reports of the breach, but it has now confirmed that an 'unauthorised intrusion' did in fact occur, according to Ars Technica.

The breach came to light last week after members of hacktivist group Anonymous claimed that they were able to compromise Epik systems and obtain gigabytes of data on Epik's business and customers. The hackers said that 180 GB of information they have leaked amounts to a 'decade's worth' of data, including 'all that's needed to trace actual ownership and management [of the firm]'.

The group claimed that they obtained customer payment histories, records of domain purchases and transfers, credentials and employee mailboxes.

Anonymous did not reveal when the hack took place, but timestamps on the most recent files suggested that it likely occurred in late February.

Epik is a Washington-based web host and domain registrar, known to serve a variety of far-right clients, including Parler, Texas GOP, Gab, and 8chan - all of which are said to have been turned down by mainstream IT providers due to objectionable content.

Epik initially said that it was not aware of a hacking incident after reports first surfaced.

'We are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation,' the company said.

According to data breach monitoring service HaveIBeenPwned, the information Anonymous leaked includes not just information on Epik's own customers, but also millions of other people and organisations' details, whose information Epik scraped via 'Whois' queries from other domain name registrars.

'The data included over 15 million unique email addresses (including anonymised versions for domain privacy), names, phone numbers, physical addresses, purchases and passwords stored in various formats,' states HaveIBeenPwned, which is maintained by Australian developer Troy Hunt.

Hunt is one of the individuals impacted by the Epik breach although he had "absolutely nothing to do" with the company.

According to screenshots shared by cybersecurity expert Adam Sculthorpe and data scientist Emily Gorcenski, Epik has started sending emails to impacted customers about an 'unauthorised intrusion'.

'As we work to confirm all related details, we are taking an approach toward maximum caution and urging customers to remain alert for any unusual activity they may observe regarding their information used for our services,' reads Epik's email notice.

While the firm did not say in the message if customers' credit card details were compromised, it encouraged users to contact their credit card providers and 'notify them of a potential data compromise to discuss your options with them directly'.

domain name registrar Epik