Epik, the controversial web-registrar that hosts far-right groups and individuals, has seen a huge amount of its data leaking onto the internet in recent times. According to reports, the deluge contains around 180 gigabytes worth of user registration, domain information, payment history, and account credentials. It appears that it was stolen in a hacking incident involving Anonymous members.
Advertisement
TechCrunch's new report seems to indicate that the company was warned of a potential security flaw in the platform many weeks before the hack.
Corben Leo, a security researcher, says that he reached Out to Epiks CEO Rob Monster in January to inquire if Epik had a bug bounty program, or another way to report the vulnerability. Monster did not respond. According to those who have seen the data, the hacking incident occurred about a month later. TechCrunch reports:
Leo informed TechCrunch about a vulnerability in Epiks WHOIS page that allows for the generation of PDF reports of public domain data. This vulnerability allowed anyone to remotely execute code on an internal server, without authentication such as a password. TechCrunch could simply paste this line of code in there to execute any command on their servers.
This vulnerability may have been used to hack the company, although it is not confirmed.
Epik has not responded quickly to claims of a leak. Gizmodo reached out to Epik on Tuesday and a spokesperson said that they were unaware of any breaches. However, screenshots of an email sent by Monster to users started to circulate on social media a day later. The email contained the following:
As a precaution, I am writing you to notify you about an alleged security incident involving Epik. The situation has been addressed by our internal team and external experts. We are taking proactive measures to address the problem. We will keep you informed about our progress. If you notice any unusual activity in your account, please let us know.
Gizmodo reached out to Epik via email on Thursday. A spokesperson for the company confirmed that the email was genuine, but stated that they had no other updates than the one already shared.
Monster appears to be more open about the facts as of Friday. Monster, his CEO, admitted to data theft during a lengthy video conference via PrayerMeeting.com. According to The Daily Dot, Monster admitted publicly that his company was breached. He said that it was a backup of company data that had been enhanced.
Advertisement
Before Monsters admission, several outlets including The Record and Daily Dot examined the data and declared that they had seen legitimate samples.
Numerous organizations are now sifting through the web registrars' apparent data. Distributed Denial of Secrets is a journalist non profit that publishes leaked materials. It has now curated the data dump. Epik Fail Data Leaks, a Twitter user claims that he is posting screenshots of data and looking up information about other users.