Web host Epik was Warned of a Critical Security Flaw Weeks before it was Hacked

Hackers linked to the hacktivist organization Anonymous claim to have stolen gigabytes of data from Epik, a web host, and domain registrar that caters to far-right websites such as Gab, Parler, and 8chan after they were banned from mainstream platforms. The organization said the 180 terabytes amounted to a “decade’s worth” of company data, including “everything that’s needed to trace actual ownership and management” of the company, in a statement linked to a torrent file of the dumped data this week.

Customer payment history, domain purchases, and transfers, as well as passwords, credentials, and employee emails, were all claimed by the gang. Files from the company’s internal web servers, as well as databases containing client records for Epik-registered domains, are among the stolen data.

The hackers did not say how they got the hacked data or when it happened, although timestamps on the most recent files imply it happened around the end of February.

Epik first told reporters it was ignorant of a security compromise, but on Wednesday, founder and CEO Robert Monster sent out an email alerting subscribers to an “alleged security incident.”

Epik was alerted about a serious security issue weeks before the attack, according to TechCrunch.

In January, security researcher Corben Leo contacted Epik’s CEO Monster via LinkedIn to inform him of a security flaw on the web host’s website. Leo inquired if the firm offered a bug bounty or if there was a mechanism to report the issue. The monster had read the letter, according to LinkedIn, but had not responded.

According to Leo, a library used on Epik’s WHOIS page for creating PDF reports of public domain registrations had a decade-old vulnerability that allowed anyone to remotely run code on the internal server without any authentication, such as a company password.

Leo told TechCrunch, “You could just drop this [line of code] in there and execute any command on their systems.”

Leo used the public-facing WHOIS page to send a proof-of-concept command to the server, which proved that code could run on Epik’s internal server, but he didn’t test to see what access the server had because it would be illegal.

It’s unclear whether the Anonymous hacktivists exploited the same flaw that Leo uncovered. (There are also folders linked to Epik’s WHOIS system in the stolen cache, but the hackers left no contact information and could not be reached for comment.) However, Leo claims that if a hacker exploited the same weakness and gained access to other servers, databases, or systems on the network, the data stolen from Epik’s internal network in February might have been accessed.