Application Security , Breach Notification , Incident & Breach Response
Anonymous Leaks Epik Data - Again
Part 2 of 'Operation Epik Fail' Leaks 300GB of Data, Researcher SaysHacktivist collective Anonymous has, for the second time this month, leaked data belonging to Washington-based domain name registrar and web hosting service Epik, according to independent Texas journalist Steven Monacelli.
See Also: Cyber Insurance Assessment Readiness Checklist
Anonymous says the second set of leaked data, which they call The/b/Sides, is "larger than the first" and contains 300GB of information, according to Monacelli, who cites an unidentified security researcher who he says vetted the data set.
BREAKING: hacktivists with Anonymous release a second round of data from the Epik hack. A security researcher who was able to verify the extent of the leak to me described it as "a complete own." At over 300 gigabytes worth of data, this leak is larger than the first.
— steven monacelli (@stevanzetti) September 29, 2021
The hacktivists, in a press release posted on a website unsuitable for general public viewing, say: "You didn’t think we completely dominated Epik and merely ran off with some databases and a system folder or two, did you?. We are Anonymous. Flexing as hard as we can is how we do a barrel roll (Press Z or R twice!)."
The hacktivists have also attached "several bootable disk images of assorted systems" in the form of a 70GB torrent file with the press release, according to news agency Daily Dot, which first reported the story.
Security researchers WhiskeyNeon and INIT_3 say they used the contents of the file to analyze the leaked data claims.
The publication adds that the leak exposes at least 59 API keys and scores of login credentials that not only include keys to the locks of Epik's own systems, but also to the company's Twitter, Coinbase and PayPal accounts.
Epik did not respond to Information Security Media Group's request for additional details.
The Previous Leak
On Sept. 13, Monacelli first posted a release from Anonymous, detailing the attackers' motivations for hitting Epik, as part of its "#OperationJane" or "Operation Epik Fail" efforts (see: Web Hoster Epik's Breach Exposes 15 Million Email Addresses).
According to free breach notification service Have I Been Pwned, which received a set of the exposed data, the leak compromised over 180GB of data, including 15 million email addresses and corresponding personal details of not just Epik's own customers and systems, but also details of millions of other individuals and organizations who had their information scraped via "Whois" queries from domain name registrars.
Although Epik initially claimed to be "unaware of the breach," its CEO, Rob Monster, on Sept. 16 hosted a nearly four-hour live Q&A session to clear the air about the breach. In the session, he claimed that the data likely had been sourced from a backup that was “intercepted.”
While Monster did not offer details on the impact of the breach, Epik, in a data breach notification to the state of Maine, reported that 110,000 people had been affected. Financial account and credit card data of these individuals, in combination with the security code, access code, password or PIN, transaction history, and domain ownership associated with their account, had also been exposed, it showed.
Warning Bells
Security researcher Corben Leo had, according to news platform TechCrunch, warned Epik about a security vulnerability in January. The undisclosed vulnerability allowed attackers to execute arbitrary code on Epik's servers, the report says, citing Leo.
After Leo told the publication that Monster had not acknowledged his warning, the Epik CEO clarified that he had mistaken Leo's email for spam and ignored it.
Epik's Remediation Approach
According to the data breach notification Epik sent to its customers in the state of Maine, the company was working with multiple cybersecurity partners to investigate the incident and secure its services. It also offered affected users free credit monitoring for two years and continued to communicate with "relevant authorities and other stakeholders," it adds.
"At this time, we have secured access to our domain-side services and applied additional security measures to help protect services and users going forward," Epik's security team says in the notification.