
Epik (2021) Breach
Sep 13, 2021
15,015,983 rows
What happened in the Epik (2021) Breach?
DataBreach.com Team · August 19th 2025, 8:00 pm EDT
In September 2021, domain registrar and hosting company Epik was hacked by actors aligned with Anonymous, who exfiltrated and published roughly 180GB of internal data described as a decade’s worth of records. The cache included domain purchases and transfers, account credentials, payment histories, and internal mailboxes; later dumps even contained bootable disk images of Epik servers. Notably, the breach swept in millions of people who weren’t Epik customers at all because the company had stored large troves of scraped WHOIS records, turning otherwise “public” contact details into a sensitive centralized dataset. ([TechCrunch][1], [The Register][2], [Ars Technica][3])
Epik’s early public stance shifted from saying it was unaware of a breach to acknowledging an “incident,” and then confirming exposure of customer data. Reporting and analyses at the time pointed to troubling security practices: weakly protected passwords and, more alarmingly, payment data risks. Materials reviewed by a major newspaper described full credit card numbers and unencrypted passwords in the leaked data, and industry coverage raised concerns that CVV codes-the three- or four-digit security numbers that should never be stored-were present, an egregious violation of PCI norms if accurate. ([SecurityWeek][4], [The Washington Post][5], [Domain Name Wire][6])
The fallout extended beyond routine credential-theft risk. Because Epik has long catered to deplatformed or fringe communities, researchers used the dataset to map relationships among websites, operators, and organizers that had previously been obscured, calling the leak a Rosetta Stone for understanding that ecosystem. Follow-on releases of server images amplified that visibility by exposing configuration details and internal content at scale. ([The Washington Post][5], [The Register][2])
If your details ever ran through Epik-or appeared in WHOIS that Epik cached-take standard precautions: change any reused passwords, enable two-factor authentication, and review saved payment methods and statements for unfamiliar charges. Consider privacy-protecting domain services and limiting the spread of physical addresses and phone numbers in registration records going forward. For organizations, the incident is a reminder that aggregating “public” data creates new risk. Inventory secondary data stores (like cached WHOIS), apply least-privilege access and encryption at rest, and enforce deletion schedules. Treat public feeds as sensitive once centralized: when a single provider hoards them, a breach can turn open records into a massive doxing and fraud vector. ([Ars Technica][3])
[1]: https://techcrunch.com/2021/09/17/epik-website-bug-hacked/?utm_source=chatgpt.com "Web host Epik was warned of a critical security flaw weeks ..."
[2]: https://www.theregister.com/2021/09/30/anonymous_second_epik_dump/?utm_source=chatgpt.com "'Anonymous' reportedly leaks more stolen Epik data"
[3]: https://arstechnica.com/information-technology/2021/09/epik-data-breach-impacts-15-million-users-including-non-customers/?utm_source=chatgpt.com "Epik data breach impacts 15 million users, including non- ..."
[4]: https://www.securityweek.com/controversial-web-host-epik-confirms-customer-data-exposed-breach/?utm_source=chatgpt.com "Controversial Web Host Epik Confirms Customer Data ..."
[5]: https://www.washingtonpost.com/technology/2021/09/25/epik-hack-fallout/?utm_source=chatgpt.com "Epik hack by Anonymous reveals hidden far-right data"
[6]: https://domainnamewire.com/2021/09/20/epik-breach-credit-card-woes-whois-data/?utm_source=chatgpt.com "Epik breach: credit card woes, Whois data"










