Epik, the controversial web registrar that is under fire to accommodate extreme right-wing groups and individuals, To had an immense amount of his data dumped on the internet in recent days. The flood, which is believed to consist of some 180 gigabytes of user registration and domain information, payment history, account credentials and more, appears to have been stolen during a hacking incident involving members of the hacktivist collective Anonymous.
Now a new report from TechCrunch appears to show that the company was alerted to a potentially significant security breach in its platform several weeks before the hack.
Security researcher Corben Leo said he contacted Epik CEO Rob Monster in January to ask whether Epik had a bug bounty program or other means of reporting the vulnerability. Monster apparently never responded. The hacking incident appears to have taken place about a month later, according to the points of sale that consulted the data. TechCrunch reports:
Leo told TechCrunch that a library used on Epik’s WHOIS page to generate PDF reports of public domain records had a ten-year-old vulnerability that allowed anyone to remotely execute code directly on the server. internal without any authentication, such as a corporate password.
“You can just paste this [line of code] in there and run any command on their servers, ”Leo told TechCrunch.
It is not confirmed whether this vulnerability was used to hack the company.
Epik was slow to respond to the allegations of a leak. When Gizmodo initially contacted the company on Tuesday, a spokesperson told us that the company was “not aware of any violations”. However, a day or two later, screenshots of an email from Monster to users began to circulate on social networks. The email read in part:
… as a precaution, I am writing to inform you of a suspected security incident involving Epik.
Our internal team, together with external experts, worked diligently to remedy the situation. We are taking proactive steps to resolve the issue. We will keep you posted on our progress. In the meantime, please let us know if you detect any unusual activity on your account.
When reached by email on Thursday, an Epik spokesperson told Gizmodo the email was legitimate, but said the company had no other update other than this. that had already been shared.
However, as of Friday, Monster seems to have been more explicit on the facts. During a videoconference lasting several hours on its website PrayerMeeting.com, the CEO admitted that data was stolen. Daily update reports that Monster “publicly admitted that his business was violated” and said he believed it was a backup of company data that had been strengthened.
Prior to Monster’s admission, a number of outlets, including The record and daily update– analyzed the data and affirmed that the samples they had consulted were legitimate.
The apparent data of the Web Registrar is now scrutinized by many organizations. Distributed denial of secrets, a nonprofit journalist dedicated to publishing leaked documents, organized the data dump on his website. Meanwhile, a Twitter user, “Epik fail data leaks”Claims to post screenshots of the data, while researching information about apparent users.