2021 Epik data breach

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service.^[1][2] More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped.^[3] The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous.^[1] The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year.^[4] A second release, this time containing bootable disk images, was made on September 29.^[5] A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.^[6]

Rob Monster, then-CEO of Epik, in 2017.

Epik is known for providing services to websites that host far-right, neo-Nazi, and other extremist content.^[7][8] Past and present Epik customers include Gab, Parler, 8chan, the Oath Keepers, and the Proud Boys.^[1][9] The hack was described as "a Rosetta Stone to the far-right" because it has allowed researchers and journalists to discover links between far-right websites, groups, and individuals.^[1] Distributed Denial of Secrets (DDoSecrets) co-founder Emma Best said researchers had been describing the breach as "the Panama Papers of hate groups".^[1]

Epik was subsequently criticized for lax data security practices, in particular failing to properly encrypt sensitive customer data.^[1]

Background

The Anonymous emblem

Anonymous is a decentralized international hacktivist collective that is widely known for its various cyber attacks against several governments and governmental institutions, corporations, and the Church of Scientology.^[10] Primarily active in the late 2000s and early 2010s, Anonymous' media profile diminished by 2018.^[11][12] The group re-emerged in 2020 to support the George Floyd protests and other causes.^[13][14]

In September 2021, Anonymous asked people to support "Operation Jane", an effort by the group to oppose the Texas Heartbeat Act, a six-week abortion ban that went into effect on September 1. On September 4, Epik had begun providing services to a "whistleblower" website run by the anti-abortion Texas Right to Life organization, which allowed people to anonymously report suspected violators of the bill. The website, which moved to Epik after being denied services by GoDaddy, went offline after Epik told the group they had violated their terms of service by collecting private information about third parties.^[15] On September 11, Anonymous hacked the website of the Republican Party of Texas, which is hosted by Epik, to replace it with text about Operation Jane.^[16][17]

Data breach

ASCII art header from the September 13, 2021 Anonymous press release announcing the data breach^[18]

Hackers identifying themselves as a part of Anonymous announced on September 13, 2021 that they had gained access to large quantities of Epik data, including domain purchase and transfer details, account credentials and logins, payment history, employee emails, and unidentified private keys.^[2] The hackers claimed they had obtained "a decade's worth of data", including all customer data and records for all domains ever hosted or registered through the company, and which included poorly encrypted passwords and other sensitive data stored in plaintext.^[2][19] The Distributed Denial of Secrets (DDoSecrets) organization announced later that day that they were working to curate the leaked data for public download, and said that it consisted of "180 gigabytes of user, registration, forwarding and other information".^[20]

Journalists and security researchers subsequently confirmed the veracity of the hack and the types of information that had been exposed.^{[18][19][7][21]} The data included in the leak appeared to have been exfiltrated in late February 2021.^[4] The leak was later confirmed to include approximately 15 million unique email addresses, which belonged both to customers and non-customers whose data had been scraped from WHOIS records.^[3] It also included 843,000 transactions from a period of over ten years, and almost one million invoices.^[22] An engineer performing an initial impact assessment for an Epik customer said that Epik's "entire primary database", which contained account usernames, passwords, SSH keys, and credit card numbers stored in plaintext, had also been compromised.^[18] Internal memos describing subpoenas and preservation requests were also found in the leaked data.^[22] Many of the data preservation requests appeared to be related to investigations following the January Capitol attack.^[23]

A security researcher speaking to TechCrunch said he had identified a security vulnerability with Epik in January, which he had reported to Rob Monster, Epik CEO, but which had not been acknowledged. The vulnerability would have allowed attackers to execute arbitrary code on Epik servers, and the researcher said he suspected the same vulnerability had been exploited by the Anonymous attackers. Monster told TechCrunch he had seen the report, but mistook it for spam.^[4]

On September 29, Anonymous released another 300 gigabytes of data including bootable disk images.^[5][6] According to a cybersecurity expert speaking to The Daily Dot, "Files are one thing, but a virtual machine disk image allows you to boot up the company's entire server on your own. We usually see breaches with database dumps, documents, configuration files, etc. In this case, we are talking about the entire server image, with all the programs and files required to host the application it is serving." The second leak included API keys and plaintext login credentials for Epik's systems, as well as for services including Coinbase, PayPal, and the company's Twitter account.^[5]

A third release on October 4 reportedly contained more bootable disk images, as well as documents belonging to the Texas Republican Party.^[6]

Company response

On September 13, the day the hacked data was released, Epik said in statements to news outlets that they were "not aware of any breach".^[20][24] When the company did not acknowledge the breach, the attackers vandalized Epik's support website.^[7] On September 15, the company sent an email to customers notifying them of "an alleged security incident".^[18]

Monster acknowledged the hack in a September 16 four hour public video conference on PrayerMeeting.com, which The Daily Dot described as "chaotic and bizarre", which Le Monde characterized as "possibly one of the strangest responses to a computer security incident in history", and which CNN described as being "like a late-night campfire chat, albeit with an element of the surreal."^[21][25][26] During the conference, Monster recited prayers to scare away demons, warned participants in the conference not to tamper with the hacked data due to it being "cursed", and spoke in friendly terms with neo-Nazi Andrew Auernheimer and a founder of Anonymous Aubrey Cottle.^[26] Also during the conference, Cottle denied carrying out the Epik data breach, but added that "I would never, ever, ever, ever admit to a federal crime in a space like this."^[26]

The company publicly confirmed the breach on September 17, and began emailing customers to inform them on September 19.^[3] Data breach monitoring service Have I Been Pwned? also began sending emails to all addresses that had been exposed on September 19.^[3]

Epik submitted a data-breach notice in the state of Maine, in which they reported that 110,000 people had been affected by the breach, and that financial account and credit card data had been exposed. In a statement to The Washington Post, an Epik spokesperson said that up to 38,000 credit card numbers had been leaked.^[22]

Monster later said of the hack that "It didn't kill us" and "It's gonna make us stronger."^[26]

Aftermath

The hack was described as "a Rosetta Stone to the far-right", allowing researchers and journalists to connect links between various far-right websites, groups, and individuals who were using Epik's services.^[1] DDoSecrets co-founder Emma Best said researchers had been describing the breach as "the Panama Papers of hate groups", and said that researchers would be "in for the long haul" with the amount of data that had been exposed.^[1][27] The Columbia Journalism Review similarly compared the data breach to the Panama Papers leak, stating "Like the Panama Papers, getting information out of the huge database and making sense of it is time-consuming, which may explain why coverage of the Epik hack lagged..."^[28] Data from the hack was used to show that Ali Alexander, a far-right activist and key figure in the "Stop the Steal" conspiracy theory campaign, had worked to hide his connections to more than 100 websites after the 2021 United States Capitol attack.^[29]

Reactions

Extremism researcher and computer scientist Megan Squire said of the hack, "It's massive. It may be the biggest domain-style leak I've seen and, as an extremism researcher, it's certainly the most interesting."^[1] Internet anthropologist Gabriella Coleman predicted the hack would force far-right groups to find security providers outside of the United States, and said that the hack had "confirmed a lot of the details of the far-right ecosystem". Cybersecurity analyst and online extremism researcher Emily Crose said that the breach would likely intensify existing paranoia among far-right groups, who already felt like they were being surveilled after the Capitol attack.^[27]

An engineer performing an initial impact assessment for an Epik client told The Daily Dot that "[Epik] are fully compromised end-to-end ... Maybe the worst I've ever seen in my 20-year career".^[18] Following the hack, The Washington Post reported that "Epik's security protocols have been the target of ridicule among researchers, who've marveled at the site's apparent failure to take basic security precautions".^[1] Epik had been storing passwords using unsalted MD5, making them easy to crack. Other sensitive data, including credit card information, was being stored in plaintext.^[1][18]

David Vladeck, a Georgetown law professor and the former head of the Federal Trade Commission's (FTC) consumer protection bureau, said, "Given Epik's boasts about security, and the scope of its web hosting, I would think it would be an FTC target, especially if the company was warned but failed to take protective action".^[1]

The Seattle branch of the Federal Bureau of Investigation (FBI) told CNN that they could neither confirm nor deny the existence of an investigation into the Epik data breach.^[26]

Other breaches

Two weeks after the initial release of data, hackers released data taken from the American far-right Oath Keepers militia. The hackers responsible for the Oath Keepers leak did not claim any connection to Anonymous or draw any connection to the Epik breach, though some journalists have speculated that the leak may have been related or made possible by information from the Epik data.^[6][30] The Oath Keepers data consists of about 3.8 gigabytes of email archives, chat logs, and a membership list. The data is also being disseminated by DDoSecrets, though the group restricted the list of members and files containing donor and finance information to journalists.^[30] The Oath Keepers had been a customer of Epik's since January 2021, when their website was taken offline after their hosting provider terminated service in the wake of the Capitol attack.^[31]

See also

• List of security hacking incidents
• Gab (social network) § Hacks and data leaks
• Parler § Security

References

1. Harwell, Drew; Timberg, Craig; Allam, Hannah (September 21, 2021). "Huge hack reveals embarrassing details of who's behind Proud Boys and other far-right websites". The Washington Post. ISSN 0190-8286. Archived from the original on September 23, 2021. Retrieved September 21, 2021.
2. Goforth, Claire (September 14, 2021). "Anonymous to release massive data set of the far-right's preferred web hosting company". The Daily Dot. Archived from the original on September 14, 2021. Retrieved September 14, 2021.
3. Sharma, Ax (September 20, 2021). "Epik data breach impacts 15 million users, including non-customers". Ars Technica. Archived from the original on September 20, 2021. Retrieved September 20, 2021.
4. Whittaker, Zack (September 17, 2021). "Web host Epik was warned of a critical security flaw weeks before it was hacked". TechCrunch. Retrieved September 17, 2021.
5. Thalen, Mikael (September 29, 2021). "New leak of Epik data exposes company's entire server". The Daily Dot. Archived from the original on 2021-09-29. Retrieved September 29, 2021.
6. Thalen, Mikael (October 4, 2021). "Anonymous releases data on Texas GOP in latest Epik hack dump". The Daily Dot. Archived from the original on 2021-10-04. Retrieved October 4, 2021.
7. Marks, Joseph (September 17, 2021). "The battle for election security funding is back". The Washington Post. ISSN 0190-8286. Retrieved September 17, 2021.
8. Allyn, Bobby (February 8, 2021). "'Lex Luthor Of The Internet': Meet The Man Keeping Far-Right Websites Alive". NPR. Archived from the original on February 9, 2021. Retrieved February 9, 2021.
9. Sharwood, Simon (September 30, 2021). "Anonymous: We've leaked disk images stolen from far-right-friendly web host Epik". The Register. Retrieved October 1, 2021.
10. Beran, Dale (August 11, 2020). "The Return of Anonymous". The Atlantic. Archived from the original on April 25, 2021. Retrieved September 22, 2021.
11. Gilbert, David (November 2, 2016). "Is Anonymous over?". Vice. Archived from the original on July 10, 2019. Retrieved September 22, 2021.
12. Griffin, Andrew (August 7, 2018). "Anonymous promises to uncover the truth behind 'QAnon' conspiracy theory". The Independent. Archived from the original on February 9, 2020. Retrieved September 22, 2021.
13. Griffin, Andrew (June 1, 2020). "'Anonymous' is back and is supporting the Black Lives Matter protests". The Independent. Archived from the original on June 15, 2020. Retrieved September 22, 2021.
14. Molloy, David; Tidy, Joe (June 1, 2020). "The return of the Anonymous hacker collective". BBC News. Archived from the original on June 4, 2020. Retrieved September 22, 2021.
15. Kornfield, Meryl (September 6, 2021). "A website for 'whistleblowers' to expose Texas abortion providers was taken down — again". The Washington Post. Archived from the original on September 7, 2021. Retrieved September 22, 2021.
16. Novell, Carly (September 11, 2021). "Anonymous hacks Texas GOP website, floods it with memes". The Daily Dot. Archived from the original on September 14, 2021. Retrieved September 15, 2021.
17. "Hackers steal 'decade's worth of data' from far-right webhost Epik". The Jerusalem Post. September 15, 2021. Archived from the original on September 15, 2021. Retrieved September 15, 2021.
18. Thalen, Mikael (September 16, 2021). "'Worst I've seen in 20 years': How the Epik hack reveals every secret the far-right tried to hide". The Daily Dot. Archived from the original on September 16, 2021. Retrieved September 16, 2021.
19. Cimpanu, Catalin (September 15, 2021). "Anonymous hacks and leaks data from domain registrar Epik". The Record by Recorded Future. Archived from the original on September 16, 2021. Retrieved September 16, 2021.
20. Ropek, Lucas (September 14, 2021). "Anonymous Claims to Have Stolen Huge Trove of Data From Epik, the Right-Wing's Favorite Web Host". Gizmodo. Archived from the original on September 14, 2021. Retrieved September 14, 2021.
21. Leloup, Damien (September 20, 2021). "Epik, l'hébergeur Web favori de l'extrême droite américaine, victime d'un piratage d'ampleur" [Epik, the favorite webhost of the American far right, victim of major hack]. Le Monde (in French). Archived from the original on 2021-09-25. Retrieved September 20, 2021.
22. Harwell, Drew; Allam, Hannah; Merrill, Jeremy B.; Timberg, Craig (September 25, 2021). "Fallout begins for far-right trolls who trusted Epik to keep their identities secret". The Washington Post. ISSN 0190-8286. Archived from the original on September 25, 2021. Retrieved September 25, 2021.
23. Thalen, Mikael (September 24, 2021). "Epik hack reveals prominent, Trump-supporting websites under subpoena investigation". The Daily Dot. Archived from the original on September 24, 2021. Retrieved September 24, 2021.
24. Sharma, Ax (September 15, 2021). "Anonymous leaks gigabytes of data from alt-right web host Epik". Ars Technica. Archived from the original on September 15, 2021. Retrieved September 16, 2021.
25. Thalen, Mikael (September 17, 2021). "Epik CEO's live video response to hacking incident descends into complete chaos". The Daily Dot. Archived from the original on September 17, 2021. Retrieved September 17, 2021.
26. "Epik is a refuge for the deplatformed far right. Here's why its CEO insists on doing it". CNN. 2021-12-09. Retrieved 2023-07-15.
27. Lyngaas, Sean (September 21, 2021). "'Anonymous' hackers claim to hit website hosting firm popular with Proud Boys". CNN. Archived from the original on September 22, 2021. Retrieved September 22, 2021.
28. Ingram, Mathew (September 24, 2021). "Leaked files from alt-right host raise some hard questions". Columbia Journalism Review. Retrieved October 1, 2021.
29. Thalen, Mikael (September 20, 2021). "After the Capitol riot, 'Stop the Steal' organizer Ali Alexander was scrambling to hide his digital footprint". The Daily Dot. Archived from the original on September 22, 2021. Retrieved September 20, 2021.
30. McKay, Tom (September 27, 2021). "The Oath Keepers Reportedly Get Their Emails Dumped for the World to See". Gizmodo. Archived from the original on 2021-09-27. Retrieved October 4, 2021.
31. Hernandez, Salvador (January 13, 2021). "A Major Militia Group Said Its Website Was Taken Down Days After It Sent Members To The Capitol Riots". BuzzFeed News. Archived from the original on 2021-01-13. Retrieved October 4, 2021.