#EpikFail: More PIIs affected by the Epik data breach

Epik, a website hosting firm which is known for providing services to far-right groups, including ProudBoys and QAnon theorists, has revealed further information on massive data breach on September 13th by the hacktivist group Anonymous that left millions of PIIs exposed could also include passwords and credit card data.  

On the 13th September, Anonymous revealed in a now archived post on a dedicated site and in 4chan posts their successful hack data of Epik, saying that “A decade’s worth of data from the company”. They stated “this dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet”. It is believed the hack originally took place on February 28th. 

Epik initially denied claims of a data breach, stating “We are not aware of any breach. We take the security of our clients’ data extremely seriously, and we are investigating the allegation”, however later emailed customers on September 15th that there had been an “alleged security incident”, they, along with experts, were “working diligently to address the situation” and that customers were in their “prayers today”.  

Later, Epik said in a statement on Saturday to customers that they had "deployed multiple cyber security teams" to resolve the incident and the security and privacy of their customers was always “their highest priority”.  

What PIIs have been compromised? v

After further forensic investigation, Epik have provided “a more complete disclosure”  on the 20th about the data breach, revealing how the scope of the cyber attack was broader and PIIs which may have been compromised in total now included: 

• Names 
• Physical and email addresses 
• Usernames 
• Passwords 
• Phone numbers 
• VAT (if given) 
• Transaction history 
• Domain ownership 
• Credit card information for some 

In total, the data exposed is thought to be 180 gigabytes of information, upping it from an earlier estimate of 150 gigabytes, in what cyber researchers have called ‘the Panama Papers of hate groups’. 

A Linux engineer hired on behalf of an Epik client to do an impact assessment called it “Maybe the worst I’ve ever seen in my 20-year career” and that “[Epik] are fully compromised end-to-end”, with all of Epik’s primary database, full of sensitive PIIs, stored in an unsecure, plaintext format.  

Customers exposed 

Numerous people have been impacted by the data breach, including individuals associated with ProudBoys, a far-right neo-fascist group, to right-wing conspiracy theorist forums with Qanon, and for right-wing media networks such as Gab and Parler.  

The list also includes ‘Stop the Steal’ founder, Ali Alexander, who is linked to the capital riots that tried to overturn the US 2020 presidential election result. 

With #EpikFail currently trending on Twitter and cyber researchers combing through the dumped data, how far-right groups organise online and keep anonymous will likely change significantly as Epik’s reputation of keeping its customers, no matter how serious or dangerous their activities, anonymous online crumbles.  

Especially with accusations that Epik had actually been warned before the hack took place about a large security flaw on their host site’s WHOIS page in regards to a library used for generating PDF reports for public domain records. This vulnerability allowed a threat actor to remotely run arbitrary code on their internal server without authentication. 

More than just customers affected 

However, it’s important to note that not everyone exposed was an Epik customer. 

As Epik was collecting third-party data which is publicly available online, even non-Epik customers have had their data compromised due to scraped WHOIS records.  

Troy Hunt, an Australian cybersecurity consultant who runs HaveIBeenPawned, a service which notifies people if their email has been exposed, said that he was caught up in the data dump despite never having associated with Epik.  

Hunt stated it was “a very salacious, messy situation” and that “a whole bunch of people” still haven't been notified about their data being affected.  

While Epik has stated most of the data exposed was publicly available, non-customers, whose WHOIS data was collected from third parties and retained, may not want to be associated with Epik in any way due to its known clientele and fear wrongly taking impacts to their reputation due to this tenuous link.