Anatomy of a Breach

Anatomy of a Breach: Epik — 180GB of Domain Registrar Data Including WHOIS Privacy Records

> series: anatomy_of_a_breach —— part: 153 —— target: epik —— data: 180GB —— exposed: whois_privacy_records —— attacker: anonymous<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2021 12 min read
data-breach epik anonymous domain-registrar whois-privacy hacktivism 180gb series
Breach #153

180GB of data. Every customer. Every domain. Including the ones paying for privacy.

In September 2021, the hacktivist collective Anonymous breached Epik — a domain registrar and hosting provider — and published approximately 180GB of internal data. The dump contained the company's complete customer database, domain registration and transfer records, payment histories, login credentials (including API keys), internal emails, and system configurations spanning over a decade. Most significantly, the breach included WHOIS privacy protection data — the registration details of customers who had specifically paid Epik to keep their domain ownership private.

The breach was motivated by Epik's role as a hosting provider for websites that had been deplatformed by other providers — including sites associated with controversial and extremist content. Anonymous published the data with the stated aim of exposing the identities behind these websites. But the 180GB dump affected all of Epik's customers — not just those hosting controversial content — including individuals, small businesses, and organisations that had chosen Epik for legitimate purposes. The breach demonstrated that a domain registrar compromise exposes not just customer data but the ownership structure of every domain the registrar manages.

Privacy Service Breach
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The privacy service became the privacy vulnerability.

WHOIS Privacy Defeated
Customers who paid for WHOIS privacy protection trusted Epik to keep their registration details confidential. The breach exposed all of that data — defeating the very service customers had paid for. When selecting privacy and security services, the provider's own security posture determines whether the privacy promise can be kept. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses provider security.
Decade of Data in One Dump
The 180GB dump contained over a decade of records — highlighting the risk of long-term data retention without adequate security. <a href="/cyber-essentials">Cyber Essentials</a> and GDPR both require data minimisation — retaining only what is needed for current purposes.
API Keys and Credentials Exposed
The breach included API keys and login credentials — enabling further attacks against Epik's systems and potentially against customers' domains (through DNS hijacking or domain transfers). <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for credential exposure and DNS change anomalies.
Registrar Compromise = Domain Compromise
A domain registrar controls DNS records, domain transfers, and WHOIS data for every domain it manages. Compromising the registrar provides leverage over all those domains. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> includes DNS security and registrar account protection assessment. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response when domain infrastructure is compromised.
Lessons

Your registrar holds your domain. Their security is your security.

The Epik breach reinforced that infrastructure service providers — domain registrars, DNS providers, hosting companies — hold data and access that can compromise every customer simultaneously. For UK organisations, registrar account security (strong passwords, MFA, domain lock), DNS monitoring, and vendor security evaluation are essential controls. Cyber Essentials addresses infrastructure security. Our infrastructure testing assesses DNS and domain security. SOC in a Box monitors for DNS changes and domain compromise. And UK Cyber Defence provides incident response when domain infrastructure is targeted.

Domain Security

Epik's breach exposed every customer's domain and privacy data. Is your registrar account secured?

Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses domain and DNS security. <a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors DNS changes.

Commission an Infrastructure Assessment Next: Twitch
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2011

Anatomy of a Breach: HBGary Federal — The Security Firm That Poked Anonymous and Got Burned

Breach #025. In February 2011, Aaron Barr, CEO of security firm HBGary Federal, announced he had identified the leaders of Anonymous and planned to sell the information to the FBI. Anonymous responded by hacking HBGary Federal's email servers, website, and social media accounts within hours — leaking 71,000 internal emails, defacing the website, and remotely wiping Barr's iPad. The hack that proved no one is immune — least of all the people who claim to be experts.

data-breach hbgary
13 min read
Anatomy of a Breach 30 September 2010

Anatomy of a Breach: ACS:Law — When Anonymous Took Down a Copyright Troll

Breach #021. In September 2010, hacktivist collective Anonymous launched a DDoS attack against ACS:Law, a controversial UK law firm that sent threatening letters to alleged file-sharers demanding settlement payments. When the firm's website came back online, an unprotected backup of the entire email server was briefly accessible — exposing the personal details of thousands of people accused of illegal downloading, including sensitive content preferences. The ICO fined the firm £1,000 — the maximum available at the time — and ACS:Law was subsequently struck off.

data-breach acs-law
12 min read
Anatomy of a Breach 30 April 2012

Anatomy of a Breach: Anonymous vs the UK Government — When Downing Street Went Dark

Breach #040. In April 2012, Anonymous launched coordinated DDoS attacks against multiple UK government websites — including the Home Office, 10 Downing Street, and the Ministry of Justice — in protest against the proposed extradition of UK citizens to the United States and government internet surveillance policies. The attacks took government websites offline for hours, demonstrating that UK public sector web infrastructure was not resilient to sustained denial-of-service campaigns and that hacktivism remained a credible threat to government operations.

ddos anonymous
12 min read
All Posts Get in Touch