Epik Was Warned About a Large Security Flaw Before Its Data Leaked

Epik Was Warned About a Large Security Flaw Before Its Data Leaked
Photo: JOSEP LAGO/AFP, Getty Images

Epik, the controversial web registrar that frequently comes under fire for hosting far-right groups and individuals, has had an immense amount of its data spilled onto the internet in recent days. The deluge, which reportedly consists of some 180 gigabytes of user registration and domain information, payment history, account credentials and more, appears to have been stolen during a hacking incident involving members of the hacktivist collective Anonymous.

Now, a new report from TechCrunch seems to show that the company was warned about a potentially large security flaw in its platform several weeks prior to the hack.

Security researcher Corben Leo says that he reached out to Epik’s CEO, Rob Monster, in January, to ask if Epik had a bug bounty program or another way to report the vulnerability. Monster apparently never replied. The hacking incident appears to have occurred roughly a month later, according to outlets who have viewed the data. TechCrunch reports:

Leo told TechCrunch that a library used on Epik’s WHOIS page for generating PDF reports of public domain records had a decade-old vulnerability that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.

“You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.

It is unconfirmed if this vulnerability was used to hack the company.

Epik has been slow to respond to the claims about a leak. When Gizmodo initially reached out to the company on Tuesday, a spokesperson told us that the company was “not aware of any breach.” However, a day or so later, screenshots of an email from Monster to users began circulating on social media. The email partially read:

…as a precautionary measure, I am writing to inform you of an alleged security incident involving Epik.

Our internal team, working with external experts, have been working diligently to address the situation. We are taking proactive steps to resolve the issue. We will update you on our progress. In the meantime please let us know if you detect any unusual account activity.

When reached by email on Thursday, an Epik spokesperson told Gizmodo that the email was legitimate but said that the company had no further update than what had already been shared.

However, as of Friday, Monster seems to have been more explicit about the facts. During a multi-hour video conference on his website PrayerMeeting.com, the CEO admitted that data had been stolen. The Daily Dot reports that Monster “publicly admitted that his company had been breached” and said that he believed it was a backup of the company’s data that had been boosted.

Prior to Monster’s admission, a number of outlets — including The Record and the Daily Dot — analysed the data and asserted that the samples they had viewed were legitimate.

The web registrar’s apparent data is now being sifted through by numerous organisations. Distributed Denial of Secrets, a journalist non-profit dedicated to publishing leaked materials, has curated the data dump on its website. Meanwhile, a Twitter user, “Epik Fail Data Leaks,” claims to be posting screenshots of the data, while looking up information about apparent users.