The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year.[1] A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.[2]
Epik is known for providing services to websites that host far-right, neo-Nazi, and other extremist content.[3] Past and present Epik customers include Gab, Parler, 8chan, the Oath Keepers, and the Proud Boys.[4] The hack was described as "a Rosetta Stone to the far-right" because it has allowed researchers and journalists to discover links between far-right websites, groups, and individuals. Distributed Denial of Secrets (DDoSecrets) co-founder Emma Best said researchers had been describing the breach as "the Panama Papers of hate groups".
Epik was subsequently criticized for lax data security practices, in particular failing to properly encrypt sensitive customer data.
Anonymous is a decentralized international hacktivist collective that is widely known for its various cyber attacks against several governments and governmental institutions, corporations, and the Church of Scientology.[5] Primarily active in the late 2000s and early 2010s, Anonymous' media profile diminished by 2018.[6] [7] The group re-emerged in 2020 to support the George Floyd protests and other causes.[8] [9]
In September 2021, Anonymous asked people to support "Operation Jane", an effort by the group to oppose the Texas Heartbeat Act, a six-week abortion ban that went into effect on September 1. On September 4, Epik had begun providing services to a "whistleblower" website run by the anti-abortion Texas Right to Life organization, which allowed people to anonymously report suspected violators of the bill. The website, which moved to Epik after being denied services by GoDaddy, went offline after Epik told the group they had violated their terms of service by collecting private information about third parties.[10] On September 11, Anonymous hacked the website of the Republican Party of Texas, which is hosted by Epik, to replace it with text about Operation Jane.[11] [12]
Hackers identifying themselves as a part of Anonymous announced on September 13, 2021 that they had gained access to large quantities of Epik data, including domain purchase and transfer details, account credentials and logins, payment history, employee emails, and unidentified private keys.[13] The hackers claimed they had obtained "a decade's worth of data", including all customer data and records for all domains ever hosted or registered through the company, and which included poorly encrypted passwords and other sensitive data stored in plaintext.[14] The Distributed Denial of Secrets (DDoSecrets) organization announced later that day that they were working to curate the leaked data for public download, and said that it consisted of "180gigabytes of user, registration, forwarding and other information".[15]
Journalists and security researchers subsequently confirmed the veracity of the hack and the types of information that had been exposed.[16] [17] [18] The data included in the leak appeared to have been exfiltrated in late February 2021. The leak was later confirmed to include approximately 15million unique email addresses, which belonged both to customers and non-customers whose data had been scraped from WHOIS records.[19] It also included 843,000 transactions from a period of over ten years, and almost one million invoices.[20] An engineer performing an initial impact assessment for an Epik customer said that Epik's "entire primary database", which contained account usernames, passwords, SSH keys, and credit card numbers stored in plaintext, had also been compromised. Internal memos describing subpoenas and preservation requests were also found in the leaked data. Many of the data preservation requests appeared to be related to investigations following the January Capitol attack.[21]
A security researcher speaking to TechCrunch said he had identified a security vulnerability with Epik in January, which he had reported to Rob Monster, Epik CEO, but which had not been acknowledged. The vulnerability would have allowed attackers to execute arbitrary code on Epik servers, and the researcher said he suspected the same vulnerability had been exploited by the Anonymous attackers. Monster told TechCrunch he had seen the report, but mistook it for spam.
On September 29, Anonymous released another 300gigabytes of data including bootable disk images. According to a cybersecurity expert speaking to The Daily Dot, "Files are one thing, but a virtual machine disk image allows you to boot up the company's entire server on your own. We usually see breaches with database dumps, documents, configuration files, etc. In this case, we are talking about the entire server image, with all the programs and files required to host the application it is serving." The second leak included API keys and plaintext login credentials for Epik's systems, as well as for services including Coinbase, PayPal, and the company's Twitter account.[22]
A third release on October 4 reportedly contained more bootable disk images, as well as documents belonging to the Texas Republican Party.
On September 13, the day the hacked data was released, Epik said in statements to news outlets that they were "not aware of any breach".[23] When the company did not acknowledge the breach, the attackers vandalized Epik's support website.[17] On September 15, the company sent an email to customers notifying them of "an alleged security incident".
Monster acknowledged the hack in a September 16 four hour public video conference on PrayerMeeting.com, which The Daily Dot described as "chaotic and bizarre", which Le Monde characterized as "possibly one of the strangest responses to a computer security incident in history", and which CNN described as being "like a late-night campfire chat, albeit with an element of the surreal."[24] During the conference, Monster recited prayers to scare away demons, warned participants in the conference not to tamper with the hacked data due to it being "cursed", and spoke in friendly terms with neo-Nazi Andrew Auernheimer and a founder of Anonymous Aubrey Cottle. Also during the conference, Cottle denied carrying out the Epik data breach, but added that "I would never, ever, ever, ever admit to a federal crime in a space like this."
The company publicly confirmed the breach on September 17, and began emailing customers to inform them on September 19. Data breach monitoring service Have I Been Pwned? also began sending emails to all addresses that had been exposed on September 19.
Epik submitted a data-breach notice in the state of Maine, in which they reported that 110,000 people had been affected by the breach, and that financial account and credit card data had been exposed. In a statement to The Washington Post, an Epik spokesperson said that up to 38,000 credit card numbers had been leaked.[20]
Monster later said of the hack that "It didn't kill us" and "It's gonna make us stronger."[25]
The hack was described as "a Rosetta Stone to the far-right", allowing researchers and journalists to connect links between various far-right websites, groups, and individuals who were using Epik's services. DDoSecrets co-founder Emma Best said researchers had been describing the breach as "the Panama Papers of hate groups", and said that researchers would be "in for the long haul" with the amount of data that had been exposed. The Columbia Journalism Review similarly compared the data breach to the Panama Papers leak, stating "Like the Panama Papers, getting information out of the huge database and making sense of it is time-consuming, which may explain why coverage of the Epik hack lagged..."[26] Data from the hack was used to show that Ali Alexander, a far-right activist and key figure in the "Stop the Steal" conspiracy theory campaign, had worked to hide his connections to more than 100 websites after the 2021 United States Capitol attack.[27]
Extremism researcher and computer scientist Megan Squire said of the hack, "It's massive. It may be the biggest domain-style leak I've seen and, as an extremism researcher, it's certainly the most interesting."[28] Internet anthropologist Gabriella Coleman predicted the hack would force far-right groups to find security providers outside of the United States, and said that the hack had "confirmed a lot of the details of the far-right ecosystem". Cybersecurity analyst and online extremism researcher Emily Crose said that the breach would likely intensify existing paranoia among far-right groups, who already felt like they were being surveilled after the Capitol attack.[29]
An engineer performing an initial impact assessment for an Epik client told The Daily Dot that "[Epik] are fully compromised end-to-end... Maybe the worst I've ever seen in my 20-year career". Following the hack, The Washington Post reported that "Epik's security protocols have been the target of ridicule among researchers, who've marveled at the site's apparent failure to take basic security precautions". Epik had been storing passwords using unsalted MD5, making them easy to crack. Other sensitive data, including credit card information, was being stored in plaintext.
David Vladeck, a Georgetown law professor and the former head of the Federal Trade Commission's (FTC) consumer protection bureau, said, "Given Epik's boasts about security, and the scope of its web hosting, I would think it would be an FTC target, especially if the company was warned but failed to take protective action".
The Seattle branch of the Federal Bureau of Investigation (FBI) told CNN that they could neither confirm nor deny the existence of an investigation into the Epik data breach.
Two weeks after the initial release of data, hackers released data taken from the American far-right Oath Keepers militia. The hackers responsible for the Oath Keepers leak did not claim any connection to Anonymous or draw any connection to the Epik breach, though some journalists have speculated that the leak may have been related or made possible by information from the Epik data.[30] The Oath Keepers data consists of about 3.8gigabytes of email archives, chat logs, and a membership list. The data is also being disseminated by DDoSecrets, though the group restricted the list of members and files containing donor and finance information to journalists. The Oath Keepers had been a customer of Epik's since January 2021, when their website was taken offline after their hosting provider terminated service in the wake of the Capitol attack.[31]