Epik knowledge breach impacts 15 million customers, together with non-customers

Epik has now confirmed that an “unauthorized intrusion” did actually happen into its techniques. The announcement follows final week’s incident of hacktivist collective Nameless leaking 180 GB of knowledge stolen from on-line service supplier Epik. To mock the corporate’s preliminary response to the info breach claims, Nameless had altered Epik’s official knowledge base, as reported by Ars.

Epik is a website registrar and net companies supplier identified to serve right-wing purchasers, a few of which have been turned down by extra mainstream IT suppliers as a result of objectionable and typically illicit content material hosted by the purchasers. Epik’s purchasers have included the Texas GOP, Parler, Gab, and 8chan, amongst others.

Epik hack impacts hundreds of thousands of non-customers, too

Seems, the leaked knowledge dump incorporates 15,003,961 e-mail addresses belonging to each Epik’s clients and non-customers, and never everyone seems to be happy with the information. This occurred as Epik had scraped WHOIS data of domains, even these not owned by the corporate, and saved these data. In doing so, the contact data of those that have by no means transacted with Epik straight was additionally retained in Epik’s techniques.

Information breach monitoring service HaveIBeenPwned has now begun sending out alerts to hundreds of thousands of e-mail addresses uncovered within the Epik hack. The service’s founder, Troy Hunt, is without doubt one of the many impacted by the info breach however who “had absolutely nothing to do with Epik.”

In a poll final week, Hunt had requested if affected customers who weren’t Epik clients most well-liked receiving breach alerts as nicely. The vast majority of customers responded affirmatively to the query.

Processing the Epik breach and there is *tons* of e-mail addresses taken from different locations, for instance saved copies of WHOIS data. In case your deal with is in there – even when you did not subscribe to the service – would you like @haveibeenpwned to inform you that they’ve your deal with?

— Troy Hunt (@troyhunt) September 17, 2021

“The breach uncovered an enormous quantity of knowledge not simply of Epik clients, but additionally scraped WHOIS data belonging to people and organisations who weren’t Epik clients,” states HaveIBeenPwned. “The info included over 15 million distinctive e-mail addresses (together with anonymised variations for area privateness), names, telephone numbers, bodily addresses, purchases and passwords saved in numerous codecs.”

Ars has seen part of the leaked whois.sql knowledge set file, roughly 16 GB in measurement, with emails, IP addresses, domains, bodily addresses, and telephone numbers of the customers. We seen WHOIS data for some domains have been dated and contained incorrect details about area homeowners—individuals who not personal these property.

Previous to registering domains, area registrars require customers to offer their “WHOIS” contact data, akin to e-mail deal with, bodily deal with, and telephone quantity. This data turns into part of the general public WHOIS listing and is searchable by anybody for contacting the area proprietor. Being public knowledge, WHOIS data could also be seen or scraped by anybody. Those that favor to not disclose their private data straight on a WHOIS listing typically depend on an organization or a private WHOIS provider to behave on their behalf. Nevertheless, what has gotten the customers involved on this case is that the presence of their contact data in Epik’s knowledge set may falsely painting them as having a connection to Epik when there was none.

“Surprise if there may be any authorized recourse as soon as can take in opposition to [Epik] for harvesting knowledge, and maintaining it longer than anticipated in a cache for people who’re NOT purchasers, and have had 0 enterprise dealings with them? Is there a precedent for this?” asked TapEnvy.US, a Texas-based app improvement store.

Epik confirms knowledge breach, emails impacted individuals

Epik has confirmed the breach and can also be emailing the impacted events about an “unauthorized intrusion,” in keeping with screenshots shared by knowledge scientist Emily Gorcenski and cybersecurity professional Adam Sculthorpe:

“As we work to verify all associated particulars, we’re taking an method towards most warning and urging clients to stay alert for any uncommon exercise they could observe concerning their data used for our companies – this may occasionally embody cost data together with bank card numbers, registered names, usernames, emails, and passwords,” reads Epik’s e-mail discover.

Though the corporate has not confirmed presently if bank card data was additionally compromised, as a warning, customers are inspired to “contact any bank card corporations that you just used to transact with Epik and notify them of a possible knowledge compromise to debate your choices with them straight.”

Beforehand, an Epik spokesperson had instructed Ars that the corporate was not conscious of any breach and was investigating the claims.

Customers can test if their knowledge has been uncovered as part of this hack at HaveIBeenPwned.com. These whose contact data was uncovered ought to hold an eye fixed out for any phishing emails and on-line banking scams.