Domain provider and hosting company Epik has confirmed a data breach that has affected more than 15 million users, including people who were not Epik’s customers.
Epik has built a reputation for providing services to those that are censored elsewhere online and promotes itself as a more censorship-resistant provider.
“As we work to confirm all related details, we are taking an approach toward maximum caution and urging customers to remain alert for any unusual activity they may observe regarding their information used for our services – this may include payment information including credit card numbers, registered names, usernames, emails, and passwords,” reads Epik’s email notice, ArsTechnica reported.
Epik said that for a “small subset of users” credit card information was also taken and advised users to “contact any credit card companies that you used to transact with Epik and notify them of a potential data compromise to discuss your options with them directly.”
The leaked data contains the personal information of more than 15 million users, many of whom are not Epik customers. Apparently, Epik had scraped WHOIS records of domains (even the records the company does not provide services for) and stored the data.
“The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organisations who were not Epik customers,” states HaveIBeenPwned. “The data included over 15 million unique email addresses (including anonymised versions for domain privacy), names, phone numbers, physical addresses, purchases and passwords stored in various formats.”
One of the people affected by the hack but “had absolutely nothing to do with Epik,” includes HaveIBeenPwned founder Troy Hunt. HaveIBeenPwned is a data breach monitoring service. It has begun notifying those who have been affected by the Epik breach.