Domain name registrar and web hosting provider Epik has been hacked and a very large amount of data is now “in the wild”.
At this juncture it’s unclear exactly how much data is involved, but indications would suggest that the breach was extensive and included not only customer details, but also credit card data.
While any hack is serious and a data breach is always a nightmare for everyone involved, they usually only impact clients of a company. Unfortunately, however, it looks like Epik also held a huge amount of personal data that was not related to their own clients or users.
Troy Hunt, who runs Have I Been Pwned? tweeted a couple of days ago that he’d discovered a huge trove of emails in the Epik data of non-clients. After some digging it became apparent to him that the data was from scraped whois data that would have dated back to before May 2018.
Prior to May 2018, when the EU’s privacy legislation, GDPR, came into force most domain name registration data was public. However since 2018 personal data such as email addresses, phone numbers and addresses have been redacted.
Essentially this means that Epik had used software to illegally collect and store email addresses and other personal information for millions of domain name registrants around the world. What’s almost entertaining is that Epik’s own privacy policy claims that this sort of thing is all down to ICANN’s policies and outside their or any registrar’s control (emphasis added) :
Registering a domain name causes your contact information to be instantly listed in the public whois database. Specifically, your first and last name, email address, phone number, and mailing address will appear on a variety of whois lookup portals. This ICANN requirement governs all domain registrars, not just Epik. Over the years, many third parties have scraped the public whois data, packaged, and resold it. Epik is not responsible for this unavoidable consequence of ICANN’s longstanding policy, nor are most other registrars.
Source Epik Privacy Policy, September 20th 2021
So how many email addresses are we talking about?
According to Have I Been Pwned there’s over 15 million unique email addresses in the data set:
Epik: In September 2021, the domain registrar and web host Epik suffered a significant data breach, allegedly in retaliation for hosting alt-right websites. The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organisations who were not Epik customers. The data included over 15 million unique email addresses (including anonymised versions for domain privacy), names, phone numbers, physical addresses, purchases and passwords stored in various formats.
Compromised data: Email addresses, Names, Phone numbers, Physical addresses, Purchases
While the dataset also includes contact details linked to domain names that are (or were) registered with Epik it’s also very clear that there is plenty of data related to significantly more people who have never done business with the company and may not have even heard of them.
According to Domain Name Stat Epik’s domains under management would be under 700 thousand. As many registrants would have multiple domain names, then the total number of actual registrant contacts would be quite a bit lower. Yet, oddly, there’s over 15 million contacts exposed.. so if you’d ever registered a domain name with any registrar prior to May 2018 you should check if your email address has been exposed.
Personally I’d never registered a domain name or bought any services from Epik though two of my personal email addresses, as well as several work related ones, which were used in relation to domain name registrations were included in the data set. Several friends have been in touch over the past 24 hours to say that their contact details are in the breach.
This is not good.
So far Epik’s response has been far from optimal, with the company and its CEO first denying that there had been any breach and then questioning what was included, then more recently suggesting that the compromise could have included credit card data.
So what should you do if your data’s been exposed?
Personally I’d recommend contacting your local data protection authority to get advice, as well as contacting Epik to get see exactly which details they hold on you.
Epik claim to be “the Swiss Bank of Domains” and that they offer clients “state of the art” security. It’s evident that those claims were made on quite rocky ground.