Hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik, a web host and domain registrar that services far-right sites. as Gab, Talk and 8chan, which found refuge in Epik after they were ripped from the main platforms.
On a declaration Attached to a torrent file of data downloaded this week, the group said the 180 gigabytes equates to a "decade" of company data, including "everything it takes to track actual ownership and management" of the company. . The group claimed to have customer payment histories, purchases and transfers of domains, passwords, credentials and employee mailboxes. The stolen data cache also contains files from the company's internal web servers and databases that contain customer records for domains that are registered with Epik.
The hackers did not say how they obtained the breached data or when the attack took place, but timestamps in the most recent files suggest that the attack likely occurred in late February.
Epik initially told reporters that it was unaware of a violation, but a e-mail send by founder and CEO Robert Monster on Wednesday alerted users to a "suspected security incident."
TechCrunch has since learned that Epik was warned of a critical security flaw weeks before its breach.
Security researcher Corben Leo contacted Epik CEO Monster via LinkedIn in January about a security vulnerability on the web host's website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed that Monster had read the message but did not respond.
Leo told TechCrunch that a library used on Epik's WHOIS page to generate PDF reports from public domain records had a decade-long vulnerability that allowed anyone to remotely execute code directly on the internal server without any authentication, as a company password.
"Could you paste this [line of code] there and run any command on their servers, โLeo told TechCrunch.
Leo ran a proof of concept command from the public WHOIS page to ask the server to display his username, which confirmed that the code could run on Epik's internal server, but did not test to see what access the server had , as doing so would be illegal.
It is not known if the Anonymous hacktivists used the same vulnerability that Leo discovered. (Part of the stolen cache also includes folders related to Epik's WHOIS systembut the hacktivists did not leave contact information and could not be reached for comment.) But Leo argues that if a hacker exploited the same vulnerability and the server had access to other servers, databases, or systems on the network, that access could have allowed access. to the type of data stolen from Epik's internal network in February.
"I really guess that's how they got owned," Leo told TechCrunch, who confirmed that the flaw has since been fixed.
Monster confirmed that it received the message from Leo on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was fixed. โWe have bounty hunters who offer their services. I probably thought it was one of those, "Monster said. "I'm not sure if I did. Do you respond to all your LinkedIn spam? "
