Epik, a U.S. domain registrar and web host, suffered the September 13, 2021 Operation Epik Fail breach now indexed by leaksear.ch at 20,940,708 records, or about 20.9 million records (leaksear.ch metadata, www.wired.com). The indexed dataset spans WHOIS contacts, account credentials, billing and invoice records, payment-card data, login logs, marketing and renewal lists, and fraud records (leaksear.ch metadata).
What happened
Hacktivist collective Anonymous claimed it obtained and released more than 180 GB of Epik data as a torrent, describing the cache as a decade of company data tied to domain ownership and management records (www.wired.com). Epik's later 50-state notification said unauthorized third parties accessed a backup copy of its domain-side service accounts through one or more non-public servers on or before September 13, 2021 (oag.ca.gov).
The exact initial access path remains unconfirmed in public reporting. TechCrunch reported that a security researcher had warned Epik in January 2021 about a critical vulnerability in a library used on Epik's WHOIS page, but also reported that it was not known whether the Anonymous actors used that issue (techcrunch.com).
Public reporting also noted that the exposure was broader than Epik customer accounts alone. Avast reported that scraped WHOIS data was included in the breach, meaning some exposed people had no direct connection to Epik (blog.avast.com).
What data was exposed
The leaksear.ch index lists searchable pivots for address, country, domain, email, hashedPassword, ipAddress, name, password, phone, and username. The stored record context includes registrant, administrative, technical, and billing WHOIS contacts; organizations; postal addresses; country fields; account identifiers; billing and invoice records; transaction history; payment-card-related fields; renewal and marketing records; login logs; IP addresses; and fraud records (leaksear.ch metadata).
Epik's own notification said potentially obtained information included name, address, email address, username, password, phone number, VAT number if provided, transaction history, domain ownership, and credit card information for a small subset of users (oag.ca.gov). The Washington Post separately reported that the leaked files included years of website purchase records, internal company emails, customer account credentials, names, home addresses, email addresses, phone numbers, passwords, and records from an Epik privacy service (www.washingtonpost.com).
Why this matters
WHOIS and registrar data can give attackers precise phishing and social-engineering hooks, especially for domain renewals, account recovery, transfer requests, and impersonation of registrars or hosting providers. Exposed credentials and hashed passwords increase credential-stuffing risk when users reused passwords across services, while payment-card and billing data can support fraud and identity-theft attempts. Because public reporting said scraped WHOIS records included non-customers, appearing in this leak should not be treated as proof that a person or organization was an Epik customer (blog.avast.com). If you registered or managed domains through Epik or Intrust Domains, or had WHOIS contact data online before September 2021, check whether your data appears in this leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, domain, email, hashed password, ip address, name, password, phone, and username.
Sources
- WIRED: Anonymous Leaked a Bunch of Data From a Right-Wing Web Host
- California Office of the Attorney General: Epik 50-State Notification
- TechCrunch: Web host Epik was warned of a critical security flaw weeks before it was hacked
- Avast: Epik data breach impacts 15 million users
- The Washington Post: Huge hack reveals embarrassing details of who’s behind Proud Boys and other far-right websites