What customers and other registrars should do to protect themselves until we know more.
Domain name registrar Epik was hacked this week, and the hackers published reams of data online.
A group saying it’s aligned with the hacker collective Anonymous posted a release about the hack earlier this week. It says that the reason for the attack is that Epik caters to the far-right and extremist websites. After Epik seemed to waffle on whether there was a hack, the hackers made it public on Epik’s website itself.
The hackers published the data dump online, and security researchers are starting to comb through the data to see what was leaked.
Various sources have confirmed that the data includes registrant details behind many of the domains registered at Epik using Whois privacy. Both The Daily Dot and The Record have spoken with people whose data was released and confirmed that they were the registrants of the corresponding domain names.
A security engineer told The Daily Dot that the data includes the auth codes required to transfer domains to another registrar. It’s unclear if this data is tied to individual domains. This same engineer told The Daily Dot that the data includes WordPress admin passwords that people could use to take over Epik customers’ websites; I’m surprised by this because I wasn’t aware that these passwords were stored in any way that could be tied to a host.
The net-net is that we don’t know the full extent of the damage yet, but it looks bad.
This gets to how both Epik customers and other domain registrars can protect themselves and domain registrants.
At this point, Epik customers should hope for the best but plan for the worst. They should work on the assumption that their passwords have been exposed. If you re-use passwords at other sites (which you shouldn’t), you should change them to something unique. For safety’s sake, Epik customers should also assume that people have what’s needed to initiate a registrar transfer. With this in mind, I recommend domain owners use a system that tracks domain changes. DomainIQ and DomainTools offer trackers for this.
I’ve heard from some people trying to delete their Epik accounts. I don’t think this will help at this point; the data is already leaked.
Registrars should keep their eyes open for unusual transfer-in requests from Epik. I imagine some Epik customers are transferring their domains right now, but registrars should monitor this to ensure they aren’t being stolen.