Web Host Epik Was Warned of a Critical Security Flaw Weeks Before it Was Hacked

An anonymous reader shares a report: Hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik, a web host and domain registrar that provides services to far-right sites like Gab, Parler and 8chan, which found refuge in Epik after they were booted from mainstream platforms. In a statement attached to a torrent file of the dumped data this week, the group said the 180 gigabytes amounts to a "decade's worth" of company data, including "all that's needed to trace actual ownership and management" of the company. The group claimed to have customer payment histories, domain purchases and transfers, and passwords, credentials and employee mailboxes. The cache of stolen data also contains files from the company's internal web servers, and databases that contain customer records for domains that are registered with Epik.

The hackers did not say how they obtained the breached data or when the hack took place, but timestamps on the most recent files suggest the hack likely happened in late February. Epik initially told reporters it was unaware of a breach, but an email sent out by founder and chief executive Robert Monster on Wednesday alerted users to an "alleged security incident." TechCrunch has since learned that Epik was warned of a critical security flaw weeks before its breach. Security researcher Corben Leo contacted Epik's chief executive Monster over LinkedIn in January about a security vulnerability on the web host's website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed Monster had read the message but did not respond.

Re:

[Chris Mattern]

"BOB, *do* something!"

Re:

[Coookie Monster]

He my long-lost brother BOB! Me give him big hug and kiss OM NOM NOM NOM

Re:

[ArchieBunker]

I want him to wrestle Kim Dotcom.

Re:

[Aighearach]

It would be make a great poster, but he'd get squashed... he's a tiny little neo-nasty Napoleon guy.

Re:"hacktivist collective" what a bunch of crap

[kunwon1]

That's the thing. They ARE doing that. If you don't think billionaires and criminal gangs are behind Epik, then I don't think you've been paying attention

Re:

[Khyber]

" This "hacktivist collective" shtick sounds like a democrat operation, hardly non-partisan, that's for sure."

You must be absolutely fucking new to the internet.

The sheer amount of lulz generated is why this was done. Anon doesn't give a fuck if it's Democrat, Liberal, or Republican (Republicans are targeted more because THEY FUCKING SET THEMSELVES UP FOR IT) they just want to shed light and get a laugh at the same time.

Too many warnings

[fermion]

A basic tenet of security is that constant warning just make people ignore them. This is why we donâ(TM)t have as many car alarms as we used to. They are annoying and criminals know they are ignored.

Right now hosting companies, security researchers, seem to be just issuing warning to cover their ass and seek fame afterwards. Yes software firms need to pay attention. No, not all can be equally treated, any more than we can equally treat every boy that threatens to blow up the school because some girl laughed at him.

Re:

[AmiMoJo]

That would seem to be a problem for a really badly built web hosting service that has a lot of easily discovered vulnerabilities.

Re:

[geekmux]

A basic tenet of security is that constant warning just make people ignore them. This is why we donâ(TM)t have as many car alarms as we used to. They are annoying and criminals know they are ignored.

Right now hosting companies, security researchers, seem to be just issuing warning to cover their ass and seek fame afterwards. Yes software firms need to pay attention. No, not all can be equally treated, any more than we can equally treat every boy that threatens to blow up the school because some girl laughed at him.

There is a significant difference between ignoring "PUP" warnings spewing from your anti-malware program incessantly, and ignoring the hell out of a security flaw deemed critical.

Critical. Do we still remember what that word tends to imply? If anyone is ignoring anything here, it's some rather obvious and specific verbiage that is usually used to properly define SLAs. (Anything deemed "critical" should have received some level of attention and basic risk mitigation within 72 hours.)

Let's not make excus

Re:

[Aighearach]

This is why we donâ(TM)t have as many car alarms as we used to.

Sorry Jarjar, but we have more car alarms than ever, we just don't have many of those silly proximity alert ones, or vibration alarms. They finally figured out, either you detect that the door was unlocked from inside after being locked from outside, or else you have a false alarm. Vibration = passing truck.

What is a "chief executive monster"?

[ljw1004]

Security researcher Corben Leo contacted Epik's chief executive Monster over LinkedIn in January about a security vulnerability on the web host's website

What is a "chief executive monster"? Is it like something from Monsters Inc?

Re:

[PseudoThink]

Robert Monster's last name is the real story here.

Re: What is a "chief executive monster"?

[Anonymouse Cowtard]

If his current name is Robert Monster, his last name must have been a real hoot!

Re:

[ShanghaiBill]

There is a town named Monster in Holland [wikipedia.org].

Most people with the "Monster" surname are from that area.

According to his wiki page [wikipedia.org], Robert Monster is ethnically Dutch.

Re:

[phantomfive]

The CEO of GoDaddy couldn't be contacted, his name was Gaping Black Hole.
I'm so sorry.

bug bounty messages are spammy

[Midnight_Falcon]

I'd hate to have to say this in Epik's defense, but these "bug bounty" hackers emailing about vulnerabilities they have "found in your web site" are 99.9% of the time complete and utter SPAM.

I receive about five of these emails a week. It usually goes with a histrionic title, and reads something like "I have found a critical vulnerability in your web site. Do you have a bug bounty program so I can report this vulnerability and receive money?"

In the case where there is a bug bounty program, they are directed to Hackerone/BugCrowd etc, and almost never make a report that gets past triage confirmation.

If they are told there is no money but please report the vulnerability to x, about 99.99% of the time there is no report ever sent. They only start looking for vulnerabilities if you confirm money is to be paid.

The researcher also erred in contacting the CEO directly on LinkedIn. Instead, he should have reached out to a CISO, VP Eng, or someone else in security, the CEO is not the right place to send unclear information about vulnerabilities and ask about money.

Re: bug bounty messages are spammy

[Kelxin]

About contacting the CEO.... I've tried to inform so many businesses through "the proper channels" just to get ignored and have a few times gone to some crazy directions to get the attention of a business (including talking to the 3rd highest person at Viasat - which in the long run was ignored also, so I'm just watching and enjoying their company failing at this point)...

Re:

[phantomfive]

Also a lot of people don't read LinkedIn messages. It's all spam anyway.

Re:

[quonset]

The researcher also erred in contacting the CEO directly on LinkedIn. Instead, he should have reached out to a CISO, VP Eng, or someone else in security, the CEO is not the right place to send unclear information about vulnerabilities and ask about money.

Why not? The job of a CEO is to have the pulse of the entire company. They're the leader. They should be aware of such things. If Bob had done his job he would have let those others know about the message (perhaps he did but we're not being told this) an

Re:

[Midnight_Falcon]

Because it can be presumed that every SDR is spamming them all day, along with numerous other scammers; and it's easy to get mixed into that fray. Do you think if you messaged Elon Musk that you, "quonset," have discovered a "big vulnerability in Tesla cars" he would personally reply to you? Or would he think you're full of shit most likely, a waste of time, and not bother?

Better, if you go to their web site a support email is provided; which likely is connected to a ticketing system. This would mean yo

Re:

[quonset]

Didn't read what I said, did you? I said the CEO would delegate to those others to look into the message. I never said they should respond to the messenger. I'm certain CEOs get a ton of spammy, nonsensical emails each day. While they may read some, the rest are ignored. In those rare instances their curiosity is piqued, they most likely forward it to someone else for review.

Re:

[AmiMoJo]

Depends. If you are confident your network is well designed and secure then for ahead and set a high bar for warnings.

If you are more concerned and freeze peach and politics, with little idea of what you are really doing and some bargain basement IT staff... Well you should probably be begging these guys for help.

Unless it was all an elaborate honeypot, I'm not ruling that out.

Ahhhh, Now THIS is the Anonymous I Remember!

[IonOtter]

The hack of the GOP website was especially lame and puerile, and not at all what I've come to expect from them.

But this?

Oh my yes. This is Anonymous.

Well done, Anon! Well done indeed!

Public Data Scrape?

[PalmPreFan]

I've seen a theory that Epik wasn't actually hacked and instead this was a public data scrape being sold to the public as a hack to try embarrassing Epik similar to what was done with Linkdin. The hackers haven't really demonstrated publicly that they have the real goods yet.