Last week anonymous claims to have acquired terabytes of data from Epik, a company that provides domain name, hosting, and DNS services to a wide range of clients. The data that was taken was made available as a torrent. And yesterday Epik confirmed the news that an “unauthorized intrusion” has occurred in their system. The data dump, which is over 180 GB in size, comprises a “decade’s worth of data from the firm,” according to the hacktivist organization.
Epik is a domain registrar and online services company renowned for serving right-wing customers, some of whom have been turned down by more mainstream IT companies owing to the clients’ offensive and occasionally criminal material. The Texas GOP, Parler, Gab, and 8chan are just a few of Epik’s clientele.
Millions of non-customers also suffered the hack
It has been said that the stolen data dump comprises 15,003,961 email addresses from Epik’s customers and non-customers, and the revelation hasn’t gone down well. This happened because Epik had grabbed WHOIS information of domains it didn’t control and kept them. Doing so, Epik’s systems also saved the contact information of people who had never transacted with Epik directly.
HaveIBeenPwned, a data breach notification service, has started sending out notifications to the millions of email addresses compromised in the Epik attack. Troy Hunt, the service’s founder, is one of the many people whose data was compromised, but he “had nothing to do with Epik.
Troy also shared the screenshots of the cyber attack even though he was not a part of it.
Hunt asked if impacted users who weren’t Epik customers preferred getting breach warnings as well in a survey last week. The question was answered favorably by the vast majority of users.
“The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organizations who were not Epik customers,” states HaveIBeenPwned. “The data included over 15 million unique email addresses (including anonymized versions for domain privacy), names, phone numbers, physical addresses, purchases and passwords stored in various formats.”
What has the users worried about in this situation is that the existence of their contact information in Epik’s data collection might make them appear to have a relationship with Epik when they don’t.
“Wonder if there is any legal recourse once can take against [Epik] for harvesting data, and keeping it longer than expected in a cache for individuals who are NOT clients, and have had 0 business dealings with them? Is there a precedent for this?” asked TapEnvy.US, a Texas-based app development shop.
Epik has verified the breach and is also contacting the impacted parties of an “unauthorised intrusion” through email notices.
“As we work to confirm all related details, we are taking an approach toward maximum caution and urging customers to remain alert for any unusual activity they may observe regarding their information used for our services – this may include payment information including credit card numbers, registered names, usernames, emails, and passwords,” Epik’s email notice reads.
To know the whole story of the data breach, click the link below: