2021 Epik data breach

Last updated
Rob Monster, then-CEO of Epik, in 2017. Rob Monster about Smart Web.jpg
Rob Monster, then-CEO of Epik, in 2017.

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. [1] [2] More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. [3] The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. [1] The attackers released an initial 180  gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. [4] A second release, this time containing bootable disk images, was made on September 29. [5] A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's. [6]

Contents

Epik is known for providing services to websites that host far-right, neo-Nazi, and other extremist content. [7] [8] Past and present Epik customers include Gab, Parler, 8chan, the Oath Keepers, and the Proud Boys. [1] [9] The hack was described as "a Rosetta Stone to the far-right" because it has allowed researchers and journalists to discover links between far-right websites, groups, and individuals. [1] Distributed Denial of Secrets (DDoSecrets) co-founder Emma Best said researchers had been describing the breach as "the Panama Papers of hate groups". [1]

Epik was subsequently criticized for lax data security practices, in particular failing to properly encrypt sensitive customer data. [1]

Background

The Anonymous emblem Anonymous emblem.svg
The Anonymous emblem

Anonymous is a decentralized international hacktivist collective that is widely known for its various cyber attacks against several governments and governmental institutions, corporations, and the Church of Scientology. [10] Primarily active in the late 2000s and early 2010s, Anonymous' media profile diminished by 2018. [11] [12] The group re-emerged in 2020 to support the George Floyd protests and other causes. [13] [14]

In September 2021, Anonymous asked people to support "Operation Jane", an effort by the group to oppose the Texas Heartbeat Act, a six-week abortion ban that went into effect on September 1. On September 4, Epik had begun providing services to a "whistleblower" website run by the anti-abortion Texas Right to Life organization, which allowed people to anonymously report suspected violators of the bill. The website, which moved to Epik after being denied services by GoDaddy, went offline after Epik told the group they had violated their terms of service by collecting private information about third parties. [15] On September 11, Anonymous hacked the website of the Republican Party of Texas, which is hosted by Epik, to replace it with text about Operation Jane. [16] [17]

Data breach

ASCII art header from the September 13, 2021 Anonymous press release announcing the data breach Operation Epik Fail.jpg
ASCII art header from the September 13, 2021 Anonymous press release announcing the data breach

Hackers identifying themselves as a part of Anonymous announced on September 13, 2021 that they had gained access to large quantities of Epik data, including domain purchase and transfer details, account credentials and logins, payment history, employee emails, and unidentified private keys. [2] The hackers claimed they had obtained "a decade's worth of data", including all customer data and records for all domains ever hosted or registered through the company, and which included poorly encrypted passwords and other sensitive data stored in plaintext. [2] [19] The Distributed Denial of Secrets (DDoSecrets) organization announced later that day that they were working to curate the leaked data for public download, and said that it consisted of "180  gigabytes of user, registration, forwarding and other information". [20]

Journalists and security researchers subsequently confirmed the veracity of the hack and the types of information that had been exposed. [18] [19] [7] [21] The data included in the leak appeared to have been exfiltrated in late February 2021. [4] The leak was later confirmed to include approximately 15 million unique email addresses, which belonged both to customers and non-customers whose data had been scraped from WHOIS records. [3] It also included 843,000 transactions from a period of over ten years, and almost one million invoices. [22] An engineer performing an initial impact assessment for an Epik customer said that Epik's "entire primary database", which contained account usernames, passwords, SSH keys, and credit card numbers stored in plaintext, had also been compromised. [18] Internal memos describing subpoenas and preservation requests were also found in the leaked data. [22] Many of the data preservation requests appeared to be related to investigations following the January Capitol attack. [23]

A security researcher speaking to TechCrunch said he had identified a security vulnerability with Epik in January, which he had reported to Rob Monster, Epik CEO, but which had not been acknowledged. The vulnerability would have allowed attackers to execute arbitrary code on Epik servers, and the researcher said he suspected the same vulnerability had been exploited by the Anonymous attackers. Monster told TechCrunch he had seen the report, but mistook it for spam. [4]

On September 29, Anonymous released another 300 gigabytes of data including bootable disk images. [5] [6] According to a cybersecurity expert speaking to The Daily Dot , "Files are one thing, but a virtual machine disk image allows you to boot up the company's entire server on your own. We usually see breaches with database dumps, documents, configuration files, etc. In this case, we are talking about the entire server image, with all the programs and files required to host the application it is serving." The second leak included API keys and plaintext login credentials for Epik's systems, as well as for services including Coinbase, PayPal, and the company's Twitter account. [5]

A third release on October 4 reportedly contained more bootable disk images, as well as documents belonging to the Texas Republican Party. [6]

Company response

On September 13, the day the hacked data was released, Epik said in statements to news outlets that they were "not aware of any breach". [20] [24] When the company did not acknowledge the breach, the attackers vandalized Epik's support website. [7] On September 15, the company sent an email to customers notifying them of "an alleged security incident". [18]

Monster acknowledged the hack in a September 16 four hour public video conference on PrayerMeeting.com, which The Daily Dot described as "chaotic and bizarre", which Le Monde characterized as "possibly one of the strangest responses to a computer security incident in history", and which CNN described as being "like a late-night campfire chat, albeit with an element of the surreal." [21] [25] [26] During the conference, Monster recited prayers to scare away demons, warned participants in the conference not to tamper with the hacked data due to it being "cursed", and spoke in friendly terms with neo-Nazi Andrew Auernheimer and a founder of Anonymous Aubrey Cottle. [26] Also during the conference, Cottle denied carrying out the Epik data breach, but added that "I would never, ever, ever, ever admit to a federal crime in a space like this." [26]

The company publicly confirmed the breach on September 17, and began emailing customers to inform them on September 19. [3] Data breach monitoring service Have I Been Pwned? also began sending emails to all addresses that had been exposed on September 19. [3]

Epik submitted a data-breach notice in the state of Maine, in which they reported that 110,000 people had been affected by the breach, and that financial account and credit card data had been exposed. In a statement to The Washington Post , an Epik spokesperson said that up to 38,000 credit card numbers had been leaked. [22]

Monster later said of the hack that "It didn't kill us" and "It's gonna make us stronger." [26]

Aftermath

The hack was described as "a Rosetta Stone to the far-right", allowing researchers and journalists to connect links between various far-right websites, groups, and individuals who were using Epik's services. [1] DDoSecrets co-founder Emma Best said researchers had been describing the breach as "the Panama Papers of hate groups", and said that researchers would be "in for the long haul" with the amount of data that had been exposed. [1] [27] The Columbia Journalism Review similarly compared the data breach to the Panama Papers leak, stating "Like the Panama Papers, getting information out of the huge database and making sense of it is time-consuming, which may explain why coverage of the Epik hack lagged..." [28] Data from the hack was used to show that Ali Alexander, a far-right activist and key figure in the "Stop the Steal" conspiracy theory campaign, had worked to hide his connections to more than 100 websites after the 2021 United States Capitol attack. [29]

Reactions

Extremism researcher and computer scientist Megan Squire said of the hack, "It's massive. It may be the biggest domain-style leak I've seen and, as an extremism researcher, it's certainly the most interesting." [1] Internet anthropologist Gabriella Coleman predicted the hack would force far-right groups to find security providers outside of the United States, and said that the hack had "confirmed a lot of the details of the far-right ecosystem". Cybersecurity analyst and online extremism researcher Emily Crose said that the breach would likely intensify existing paranoia among far-right groups, who already felt like they were being surveilled after the Capitol attack. [27]

An engineer performing an initial impact assessment for an Epik client told The Daily Dot that "[Epik] are fully compromised end-to-end ... Maybe the worst I've ever seen in my 20-year career". [18] Following the hack, The Washington Post reported that "Epik's security protocols have been the target of ridicule among researchers, who've marveled at the site's apparent failure to take basic security precautions". [1] Epik had been storing passwords using unsalted MD5, making them easy to crack. Other sensitive data, including credit card information, was being stored in plaintext. [1] [18]

David Vladeck, a Georgetown law professor and the former head of the Federal Trade Commission's (FTC) consumer protection bureau, said, "Given Epik's boasts about security, and the scope of its web hosting, I would think it would be an FTC target, especially if the company was warned but failed to take protective action". [1]

The Seattle branch of the Federal Bureau of Investigation (FBI) told CNN that they could neither confirm nor deny the existence of an investigation into the Epik data breach. [26]

Other breaches

Two weeks after the initial release of data, hackers released data taken from the American far-right Oath Keepers militia. The hackers responsible for the Oath Keepers leak did not claim any connection to Anonymous or draw any connection to the Epik breach, though some journalists have speculated that the leak may have been related or made possible by information from the Epik data. [6] [30] The Oath Keepers data consists of about 3.8 gigabytes of email archives, chat logs, and a membership list. The data is also being disseminated by DDoSecrets, though the group restricted the list of members and files containing donor and finance information to journalists. [30] The Oath Keepers had been a customer of Epik's since January 2021, when their website was taken offline after their hosting provider terminated service in the wake of the Capitol attack. [31]

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Anonymous (hacker group)</span> Decentralized hacktivist group

Anonymous is a decentralized international activist and hacktivist collective and movement primarily known for its various cyberattacks against several governments, government institutions and government agencies, corporations and the Church of Scientology.

<span class="mw-page-title-main">LulzSec</span> Hacker group

LulzSec was a black hat computer hacking group that claimed responsibility for several high profile attacks, including the compromise of user accounts from PlayStation Network in 2011. The group also claimed responsibility for taking the CIA website offline. Some security professionals have commented that LulzSec has drawn attention to insecure systems and the dangers of password reuse. It has gained attention due to its high profile targets and the sarcastic messages it has posted in the aftermath of its attacks. One of the founders of LulzSec was computer security specialist Hector Monsegur, who used the online moniker Sabu. He later helped law enforcement track down other members of the organization as part of a plea deal. At least four associates of LulzSec were arrested in March 2012 as part of this investigation. Prior, British authorities had announced the arrests of two teenagers they alleged were LulzSec members, going by the pseudonyms T-flow and Topiary.

<span class="mw-page-title-main">Operation AntiSec</span> Series of cyberattacks conducted by Anonymous and LulzSec

Operation Anti-Security, also referred to as Operation AntiSec or #AntiSec, is a series of hacking attacks performed by members of the hacking group LulzSec and Anonymous, and others inspired by the announcement of the operation. LulzSec performed the earliest attacks of the operation, with the first against the Serious Organised Crime Agency on 20 June 2011. Soon after, the group released information taken from the servers of the Arizona Department of Public Safety; Anonymous would later release information from the same agency two more times. An offshoot of the group calling themselves LulzSecBrazil launched attacks on numerous websites belonging to the Government of Brazil and the energy company Petrobras. LulzSec claimed to retire as a group, but on 18 July they reconvened to hack into the websites of British newspapers The Sun and The Times, posting a fake news story of the death of the publication's owner Rupert Murdoch.

Anonymous is a decentralized virtual community. They are commonly referred to as an internet-based collective of hacktivists whose goals, like its organization, are decentralized. Anonymous seeks mass awareness and revolution against what the organization perceives as corrupt entities, while attempting to maintain anonymity. Anonymous has had a hacktivist impact. This is a timeline of activities reported to be carried out by the group.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personal identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information of about more than 2,500 users was initially released. The company initially denied that their records were insecure, and continued to operate.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

On March 27, 2016, hackers under the banner "Anonymous Philippines" hacked into the website of the Philippine Commission on Elections (COMELEC) and defaced it. The hackers left a message calling for tighter security measures on the vote counting machines (VCM) to be used during the 2016 Philippine general election on May 9. Within the day a separate group of hackers, LulzSec Pilipinas posted an online link to what it claims to be the entire database of COMELEC and updated the post to include three mirror link to the index of the database's downloadable files. The leaked files by LulzSec Pilipinas amounts to 340 gigabytes.

Epik is an American domain registrar and web hosting company known for providing services to alt-tech websites that host far-right, neo-Nazi, and other extremist materials. It has been described as a "safehaven for the extreme right" because of its willingness to provide services to far-right websites that have been denied service by other Internet service providers.

<span class="mw-page-title-main">BlueLeaks</span> Data leak of US law enforcement

BlueLeaks, sometimes referred to by the X hashtag “#BlueLeaks”, refers to 269.21 gibibytes of internal U.S. law enforcement data obtained by the hacker collective Anonymous and released on June 19, 2020, by the activist group Distributed Denial of Secrets, which called it the "largest published hack of American law enforcement agencies".

<span class="mw-page-title-main">Distributed Denial of Secrets</span> Whistleblowing organization

Distributed Denial of Secrets, abbreviated DDoSecrets, is a non-profit whistleblower site founded in 2018 for news leaks. The site is a frequent source for other news outlets and has worked on investigations including Cyprus Confidential with other media organisations. In December 2023, the organisation said it had published over 100 million files from 59 countries.

maia arson crimew Swiss hacker (born 1999)

Maia arson crimew, formerly known as Tillie Kottmann, is a Swiss developer and computer hacker. Crimew is known for leaking source code and other data from companies such as Intel and Nissan, and for discovering a 2019 copy of the United States government's No Fly List on an unsecured CommuteAir server. Crimew was also part of a group that hacked into Verkada in March 2021 and accessed more than 150,000 cameras. She is also the founding developer of the Lawnchair application launcher for Android.

GiveSendGo is a Christian crowdfunding website. GiveSendGo has attracted controversy for allowing far-right extremists to fundraise, including neo-Nazis, white supremacists and hate groups.

<span class="mw-page-title-main">Aubrey Cottle</span> Webmaster

Aubrey Cottle, also known as Kirtaner or Kirt, is a Canadian website forum administrator who claims to be an early member of the hacktivist group Anonymous. Cottle was involved with Anonymous during the late 2000s and in its resurgence beginning in 2020, in which the group attempted to combat the far-right conspiracy movement QAnon.

Anonymous, a decentralized international activist and hacktivist collective, has conducted numerous cyber-operations against Russia since February 2022 when the Russian invasion of Ukraine began.

References

  1. 1 2 3 4 5 6 7 8 9 10 11 12 Harwell, Drew; Timberg, Craig; Allam, Hannah (September 21, 2021). "Huge hack reveals embarrassing details of who's behind Proud Boys and other far-right websites". The Washington Post . ISSN   0190-8286. Archived from the original on September 23, 2021. Retrieved September 21, 2021.
  2. 1 2 3 Goforth, Claire (September 14, 2021). "Anonymous to release massive data set of the far-right's preferred web hosting company". The Daily Dot . Archived from the original on September 14, 2021. Retrieved September 14, 2021.
  3. 1 2 3 4 Sharma, Ax (September 20, 2021). "Epik data breach impacts 15 million users, including non-customers". Ars Technica . Archived from the original on September 20, 2021. Retrieved September 20, 2021.
  4. 1 2 3 Whittaker, Zack (September 17, 2021). "Web host Epik was warned of a critical security flaw weeks before it was hacked". TechCrunch . Retrieved September 17, 2021.
  5. 1 2 3 Thalen, Mikael (September 29, 2021). "New leak of Epik data exposes company's entire server". The Daily Dot . Archived from the original on 2021-09-29. Retrieved September 29, 2021.
  6. 1 2 3 4 Thalen, Mikael (October 4, 2021). "Anonymous releases data on Texas GOP in latest Epik hack dump". The Daily Dot . Archived from the original on 2021-10-04. Retrieved October 4, 2021.
  7. 1 2 3 Marks, Joseph (September 17, 2021). "The battle for election security funding is back". The Washington Post . ISSN   0190-8286 . Retrieved September 17, 2021.
  8. Allyn, Bobby (February 8, 2021). "'Lex Luthor Of The Internet': Meet The Man Keeping Far-Right Websites Alive". NPR . Archived from the original on February 9, 2021. Retrieved February 9, 2021.
  9. Sharwood, Simon (September 30, 2021). "Anonymous: We've leaked disk images stolen from far-right-friendly web host Epik". The Register . Retrieved October 1, 2021.
  10. Beran, Dale (August 11, 2020). "The Return of Anonymous". The Atlantic . Archived from the original on April 25, 2021. Retrieved September 22, 2021.
  11. Gilbert, David (November 2, 2016). "Is Anonymous over?". Vice . Archived from the original on July 10, 2019. Retrieved September 22, 2021.
  12. Griffin, Andrew (August 7, 2018). "Anonymous promises to uncover the truth behind 'QAnon' conspiracy theory". The Independent . Archived from the original on February 9, 2020. Retrieved September 22, 2021.
  13. Griffin, Andrew (June 1, 2020). "'Anonymous' is back and is supporting the Black Lives Matter protests". The Independent . Archived from the original on June 15, 2020. Retrieved September 22, 2021.
  14. Molloy, David; Tidy, Joe (June 1, 2020). "The return of the Anonymous hacker collective". BBC News . Archived from the original on June 4, 2020. Retrieved September 22, 2021.
  15. Kornfield, Meryl (September 6, 2021). "A website for 'whistleblowers' to expose Texas abortion providers was taken down — again". The Washington Post . Archived from the original on September 7, 2021. Retrieved September 22, 2021.
  16. Novell, Carly (September 11, 2021). "Anonymous hacks Texas GOP website, floods it with memes". The Daily Dot . Archived from the original on September 14, 2021. Retrieved September 15, 2021.
  17. "Hackers steal 'decade's worth of data' from far-right webhost Epik". The Jerusalem Post . September 15, 2021. Archived from the original on September 15, 2021. Retrieved September 15, 2021.
  18. 1 2 3 4 5 6 Thalen, Mikael (September 16, 2021). "'Worst I've seen in 20 years': How the Epik hack reveals every secret the far-right tried to hide". The Daily Dot . Archived from the original on September 16, 2021. Retrieved September 16, 2021.
  19. 1 2 Cimpanu, Catalin (September 15, 2021). "Anonymous hacks and leaks data from domain registrar Epik". The Record by Recorded Future . Archived from the original on September 16, 2021. Retrieved September 16, 2021.
  20. 1 2 Ropek, Lucas (September 14, 2021). "Anonymous Claims to Have Stolen Huge Trove of Data From Epik, the Right-Wing's Favorite Web Host". Gizmodo . Archived from the original on September 14, 2021. Retrieved September 14, 2021.
  21. 1 2 Leloup, Damien (September 20, 2021). "Epik, l'hébergeur Web favori de l'extrême droite américaine, victime d'un piratage d'ampleur" [Epik, the favorite webhost of the American far right, victim of major hack]. Le Monde (in French). Archived from the original on 2021-09-25. Retrieved September 20, 2021.
  22. 1 2 3 Harwell, Drew; Allam, Hannah; Merrill, Jeremy B.; Timberg, Craig (September 25, 2021). "Fallout begins for far-right trolls who trusted Epik to keep their identities secret". The Washington Post . ISSN   0190-8286. Archived from the original on September 25, 2021. Retrieved September 25, 2021.
  23. Thalen, Mikael (September 24, 2021). "Epik hack reveals prominent, Trump-supporting websites under subpoena investigation". The Daily Dot . Archived from the original on September 24, 2021. Retrieved September 24, 2021.
  24. Sharma, Ax (September 15, 2021). "Anonymous leaks gigabytes of data from alt-right web host Epik". Ars Technica . Archived from the original on September 15, 2021. Retrieved September 16, 2021.
  25. Thalen, Mikael (September 17, 2021). "Epik CEO's live video response to hacking incident descends into complete chaos". The Daily Dot . Archived from the original on September 17, 2021. Retrieved September 17, 2021.
  26. 1 2 3 4 5 "Epik is a refuge for the deplatformed far right. Here's why its CEO insists on doing it". CNN. 2021-12-09. Retrieved 2023-07-15.
  27. 1 2 Lyngaas, Sean (September 21, 2021). "'Anonymous' hackers claim to hit website hosting firm popular with Proud Boys". CNN . Archived from the original on September 22, 2021. Retrieved September 22, 2021.
  28. Ingram, Mathew (September 24, 2021). "Leaked files from alt-right host raise some hard questions". Columbia Journalism Review . Retrieved October 1, 2021.
  29. Thalen, Mikael (September 20, 2021). "After the Capitol riot, 'Stop the Steal' organizer Ali Alexander was scrambling to hide his digital footprint". The Daily Dot . Archived from the original on September 22, 2021. Retrieved September 20, 2021.
  30. 1 2 McKay, Tom (September 27, 2021). "The Oath Keepers Reportedly Get Their Emails Dumped for the World to See". Gizmodo . Archived from the original on 2021-09-27. Retrieved October 4, 2021.
  31. Hernandez, Salvador (January 13, 2021). "A Major Militia Group Said Its Website Was Taken Down Days After It Sent Members To The Capitol Riots". BuzzFeed News . Archived from the original on 2021-01-13. Retrieved October 4, 2021.