Anonymous Epik Data Leaks – Again
Application security, breach notification, incident and breach response
Part 2 of “Operation Epik Fail” Leaks 300GB of Data, Researcher Says
Mihir Bagwe •
September 30, 2021
The hacktivist collective Anonymous has, for the second time this month, disclosed data belonging to Washington-based domain name registration and web hosting service Epik, according to Texas freelance journalist Steven Monacelli.
Anonymous says the second leaked dataset, which they call The / b / Sides, is “larger than the first” and contains 300GB of information, according to Monacelli, who cites an unidentified security researcher who says he checked the dataset.
BREAKDOWN: Hacktivists with Anonymous Release Second Set of Epik Hack Data. A security researcher who was able to verify the extent of the leak described it to me as “a complete clean”. With over 300 gigabytes of data, this leak is bigger than the first.
– steven monacelli (@stevanzetti) September 29, 2021
The hacktivists, in a press release posted on an inappropriate website for the general public, state: “You didn’t think we were completely in control of Epik and we just ran away with a few databases and a system file or two. , is not it ? We are anonymous. It is by flexing as hard as possible that we roll over (Press Z or R twice!). ”
The hacktivists also attached “several boot disk images of assorted systems” as a 70 GB torrent file with the press release, according to the Daily Dot news agency, which first reported the. story.
The post adds that the leak exposes at least 59 API keys and dozens of login credentials that include not only the lock keys from Epik’s own systems, but also the company’s Twitter, Coinbase and PayPal accounts.
Epik did not respond to Information Security Media Group’s request for additional details.
The previous leak
On September 13, Monacelli first released a statement from Anonymous, detailing the attackers’ motives for hitting Epik, as part of his “#OperationJane” or “Operation Epik Fail” efforts (see: Breach of web host Epik reveals 15 million email addresses).
According to the free Have I Been Pwned breach notification service, which received a set of exposed data, the leak compromised more than 180 GB of data, including 15 million email addresses and the corresponding personal information not only of Epik’s customers and systems, but also details of millions of other people and organizations whose information was retrieved through “Whois” requests from domain name registrars.
Although Epik initially claimed to be “unaware of the breach,” its CEO Rob Monster hosted a nearly four-hour live question-and-answer session on September 16 to clarify the breach. During the session, he asserted that the data probably came from a backup which had been “intercepted”.
While Monster did not provide details on the impact of the breach, Epik, in a data breach notification to the state of Maine, reported that 110,000 people had been affected. The financial account and credit card data of these persons, in combination with the security code, access code, password or PIN code, transaction history and domain ownership associated with their account, were also on display, he said.
According to news platform TechCrunch, security researcher Corben Leo warned Epik of a security vulnerability in January. The undisclosed vulnerability allowed attackers to execute arbitrary code on Epik’s servers, according to the report, citing Leo.
After Leo told the post that Monster did not acknowledge his warning, Epik’s CEO clarified that he mistook Leo’s email for spam and ignored it.
Epik’s remediation approach
According to the data breach notification Epik sent to its customers in the state of Maine, the company was working with several cybersecurity partners to investigate the incident and secure its services. It also offered affected users free credit monitoring for two years and continued to communicate with “the relevant authorities and other stakeholders,” he adds.
“At this time, we have secured access to our domain-side services and applied additional security measures to help protect services and users in the future,” Epik’s security team said in the statement. notification.