Epik, a domain registrar and web hosting company based in Washington State (based in Sammamish) suffered a major breach last week, according to the Washington Post (reprinted in the Seattle Times this morning). The Anonymous hacker group released “more than 150 gigabytes of previously private data” for public view. The data included user names, passwords, and other identifying information on Epik’s customers.
Extremism researchers and political opponents have treated the leak as a Rosetta Stone to the far right, helping them to decode who has been doing what with whom over several years. Initial revelations have spilled out steadily across Twitter since news of the hack broke last week, often under the hashtag #epikfail, but those studying the material say they will need months and perhaps years to dig through all of it.
One researcher described it a the biggest domain-style leak she’d ever seen and called it: “...an embarrassment of riches — stress on the embarrassment”.
Epik and its founder (Robert Monster) are getting a lot of ridicule from the researchers for the failure to take basic security precautions like encryption to prevent protected customer data from becoming public. The released files include years of website purchase records, internal emails, and customer account credentials revealing who runs some of the biggest far-right websites. They include client names, home addresses, email addresses, phone numbers, and passwords left in plain text.
Even Epik’s Anonymize identity protection service had personal records exposed. So much for THAT cunning plan…
David Vladeck, former FTC consumer protection bureau, speculated that Epik might become an FTC target. The FTC wouldn’t care about content, but if the company made presentations about security and privacy protections that turned out to be false, they could be in trouble and subject to financial penalties and requirements to implement more rigorous privacy/security protections.