A leaksear.ch-indexed Epik leak contains 1,445,872 records from the September 13, 2021 breach of the domain registrar and web hosting provider, including WHOIS, domain registration, account and payment-related data (leaksear.ch metadata). Have I Been Pwned lists the broader Epik incident at 15 million affected accounts, so the 1.4 million figure here refers to the leaksear.ch index rather than the full public breach count (haveibeenpwned.com).
What happened
On September 13, 2021, attackers identifying as Anonymous announced they had stolen a decade's worth of Epik data. The Record reported that it reviewed the leak, described SQL database dumps containing domain ownership details, domain transactions, account details and personal data, and verified a subset with Epik customers (therecord.media).
Epik initially told The Record it was not aware of a breach, but later customer notices and state filings acknowledged an intrusion. SecurityWeek reported that Epik said attackers accessed non-public servers holding a backup copy of domain-side service accounts on or before September 13, 2021; the Maine Attorney General entry lists the event as an external system breach affecting 110,000 people in the company's notification filing (www.securityweek.com, www.maine.gov).
TechCrunch reported that a researcher had warned Epik about a critical website flaw weeks before the hack, but also noted it was not known whether the Anonymous attackers used that flaw (techcrunch.com).
What data was exposed
leaksear.ch indexes the Epik leak by address, country, domain, email, hashedPassword, ipAddress, name, phone and username (leaksear.ch metadata). Related stored fields include administrative, billing, registrant and technical contact names, emails, organizations and phone numbers, alternate emails, fax, owner identifiers, privacy flags, and creation, update and expiration dates (leaksear.ch metadata).
Public breach summaries are consistent with those categories: Have I Been Pwned lists email addresses, names, phone numbers, physical addresses and purchases, and says the broader breach included passwords in various formats, while SecurityWeek reported names, addresses, phones, VAT numbers, email addresses, usernames, passwords, domain ownership, transaction histories and some credit card information (haveibeenpwned.com, www.securityweek.com).
Why this matters
Domain registration data can tie real people and organizations to domains, purchases and infrastructure, including people whose WHOIS records were scraped and who may not have been Epik customers, as HIBP noted (haveibeenpwned.com). Security teams should treat exposed emails, usernames, hashed passwords, domains, phones and IP addresses as pivots for targeted phishing, credential-stuffing checks, domain-transfer fraud monitoring and impersonation response. Individuals should reset reused passwords, enable 2FA on registrar and email accounts, and review payment cards if they transacted with Epik, particularly because official reporting identified some credit card information in the incident (www.securityweek.com, www.maine.gov). If you registered domains, used Epik, or may appear in historical WHOIS data, check whether your own email, domain, username, phone, name, address, country, IP address or hashed password is present in this leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, domain, email, hashed password, ip address, name, phone, and username.
Sources
- Have I Been Pwned: Epik Data Breach
- The Record: Anonymous hacks and leaks data from domain registrar Epik
- SecurityWeek: Controversial Web Host Epik Confirms Customer Data Exposed in Breach
- Maine Attorney General: Data Breach Notifications
- TechCrunch: Web host Epik was warned of a critical security flaw weeks before it was hacked