PowerKee’s Bastion of Privacy #42 — Victims might still be unaware of incident
Controversial domain name registrar and web service provider Epik has officially confirmed a data breach that has exposed the data of over 15 million users’ personal information. While the breach occurred on September 13th, according to the perpetrators, Epik only acknowledged the incident on September 18th.
Alarmingly, the breach has also exposed the personal data of users who have never used Epik’s services. In the latest Bastion of Privacy, we examine this incident and the impact of Epik’s delayed response, along with the implications for internet users’ privacy and data security.
Epik Targeted by Anonymous
On September 15th, Ars Technica reported that the hacktivist collective Anonymous claimed to have obtained 180GB worth of data from the controversial web services provider Epik. Famous for its tolerance towards controversial domains including the likes of Parler, 8chan, Gab, and the Texas GOP, Epik was targeted as a part of Anonymous’ “Operation Jane” campaign. The breach was first reported by journalist Steven Monacelli in a tweet.
Source: Steven Monacelli
Epik’s initial response denied the incident. Speaking to Ars, a representative said, “We are not aware of any breach. We take the security of our clients’ data extremely seriously, and we are investigating the allegation”. Additionally, a right wing user whose website was hosted by Epik reportedly doxxed Monacelli and defamed him as a pedophile.
As retaliation, Anonymous tampered with Epik’s knowledge base to highlight the intrusion and mock the company’s response. In a now-archived copy of the document, Anonymous claimed to possess “all the user data. All of it. All usernames, passwords, e-mails, support queries, breaching all anonymization service[s]…”
As security experts and activists began combing the leaked data for information, an alarming fact came to light: The leaked data contained personal information of people who had never sought Epik’s services.
WHOIS record scraping questioned
While processing the fallout of the data leak, Troy Hunt, Founder of the data breach monitoring service HaveIBeenPwned discovered that his personally identifiable information (PII) was a part of the leak. However, Hunt had never used Epik’s services beforehand.
Source: Troy Hunt
Upon further investigation, it was discovered that Epik had scraped WHOIS records of domains, including ones that the company didn’t own, and stored them on its servers. Thus, contact information of netizens who had never used the platform was stored and became a part of the data dump containing the PII data of 15,003,961 people.
Epik acknowledged the breach on September 18th and notified its customers accordingly. However, the company’s response to this incident remains questionable. It continues to deny responsibility for the release of non-user data. Texas-based app development company TapEnvy echoed many non-users’ thoughts when it questioned the legality of Epik’s actions and the lack of regulatory precedent to deal with such incidents.
Source: Studio Owens
Data privacy as collateral damage
What began as an attack on a controversial platform has ended up highlighting every internet user’s susceptibility to data breaches. Despite the leaps data privacy laws have made recently, user privacy protection remains fragile. Netizens are extremely susceptible to attacks like the one detailed in this piece.
Blockchain-based solutions like PowerKee offer a robust and fully secure environment for its users. Thanks to anonymity built into such solutions, no amount of third party scraping or hacks can compromise sensitive PII data. Users can also ensure that their transactions in the PowerKee network are fully anonymized.
Epik has advised its users to “remain alert for any unusual activity that they may observe regarding their information”. The company hasn’t explained its delay in acknowledging the breach or the need to scrape non-user data.
PowerKee is a cryptocurrency network that makes privacy easy. Users can transact cheaply and instantly while maintaining anonymity. The PowerKee protocol uses a mixture of zero-knowledge proofs and coin mixing to provide strong privacy to its users.