anonymous mask worn by man in epikfail hack

Afro Studios/Shutterstock.com

‘Worst I’ve seen in 20 years’: How the Epik hack reveals every secret the far-right tried to hide

'They are fully compromised end-to-end.'

 

Mikael Thalen

Tech

Published Sep 16, 2021   Updated Sep 20, 2021, 12:40 pm CDT

A large-scale breach of the domain registrar and web hosting company Epik has exposed a massive trove of data, including the names of individuals behind some of the far-right’s most notorious websites.

The data, as first reported by independent journalist Steven Monacelli on Monday, was released as a torrent this week by the hacking collective Anonymous.

In a press release on the hack, dubbed Operation EPIK FAIL, Anonymous claimed that it was able to obtain “a decade’s worth” of information, including domain registrations and transfers, account credentials, and emails from an Epik employee.

“This dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet that has eluded researchers, activists, and, well, just about everybody,” the release alleges.

A compressed version of the torrent was later released by the journalist collective DDoSecrets, which plans to upload and host the data for reporters and researchers.

Epik’s customers include social media sites such as Parler and Gab as well as far-right forums like TheDonald. A pro-life website that urged Texas residents to report women seeking abortions to the authorities in the wake of the state’s abortion ruling was also temporarily a customer of Epik.

In a statement to Gizmodo on Tuesday, an Epik spokesperson claimed that the company was “not aware of any breach.”

Epik CEO Robert Monster sent an email on Wednesday to customers acknowledging “an alleged security incident” but did not provide specifics.

“Our internal team, working with external experts, have been working diligently to address the situation,” Monster wrote. “We are taking proactive steps to resolve the issue. We will update you on our progress.”

“You are in our prayers today. We are grateful for your support and prayer. When situations arise where individuals might not have honorable intentions, I pray for them,” Monster added. “I believe that what the enemy intends for evil, God invariably transforms into good.”

The Daily Dot attempted to reach Monster for comment, whose phone number and Skype username were listed in emails from the breach, but did not receive a response.

Analysis of the data by the Daily Dot revealed the names, addresses, phone numbers, and email addresses of those who registered web domains for a range of sites related to everything from the QAnon conspiracy theory to forums for supporters of former President Donald Trump. The data was also verified on Wednesday evening by the Record.

The Daily Dot spoke with an individual listed as the registrar for TheDonald, an offshoot of a pro-Trump forum banned from Reddit last year, that operates from the domain Patriots.win. The individual confirmed that the information listed in the breach was his but claimed that he had distanced himself from the site.

The original TheDonald subreddit, which boasted nearly 800,000 members, was removed by Reddit for repeatedly violating the platform’s rules against harassment, hate speech, and content manipulation.

The forum’s replacement at Patriots.win has also found itself embroiled in controversy following the Jan. 6 riot at the Capitol after members were found to have discussed hanging and beheading politicians.

Another individual listed as running a knockoff version of 8chan also confirmed to the Daily Dot that the information listed in the breach was accurate over the phone.

A Linux engineer tasked with conducting an impact assessment on behalf of a client who uses Epik’s services told the Daily Dot that the breach was one of the worst he had ever seen. The engineer did not have permission to speak about the breach by his employer and was granted anonymity by the Daily Dot.

“They are fully compromised end-to-end,” they said. “Maybe the worst I’ve ever seen in my 20-year career.”

The engineer pointed the Daily Dot to what they described as Epik’s “entire primary database,” which contains hosting account usernames and passwords, SSH keys, and even some credit card numbers—all stored in plaintext.

The data also includes Auth-Codes, passcodes that are needed to transfer a domain name between registrars. The engineer stated that with all the data in the leak, which also included admin passwords for WordPress logins, any attacker could easily take over the websites of countless Epik customers.

The Daily Dot was unable to confirm the claims made in the press release by Anonymous that every single one of Epik’s customers were exposed in the breach.

Analysis suggests that hacked data goes up until Feb. 28, 2021. The data’s release comes just days after hackers aligned with Anonymous defaced the official website for the Republican Party of Texas over the state’s new restrictions on abortion.

Share this article
*First Published: Sep 16, 2021, 8:07 am CDT