Last week, a group of hackers referred to as Anonymous claimed that they had successfully breached the cyber defenses of domain registrar Epik.
As news broke, many media outlets confirmed the breach and reviewed the 180 gigabytes of Epik data that Anonymous released.
A September 15th email from Epik’s founder and CEO, Rob Monster, informed the registrar’s users that there was “an alleged security incident involving Epik.”
Four days later, on September 19th, Monster again emailed customers with an “urgent security notice” and confirming “an unauthorized intrusion into some of our domain-related systems.”
The email also mentions credit cards, lightly suggesting users may want to notify their credit card providers of this intrusion:
As a precautionary measure, you may choose to contact any credit card companies that you used to transact with Epik and notify them of a potential data compromise to discuss your options with them directly.
However, canceling credit cards should be more than a precautionary measure.
The data breach seems to include client credit card numbers, billing addresses, and CVV (card verification value) numbers. A source, which will stay unnamed, has shared their own data that they discovered within the 180-gigabyte file released by Anonymous. Epik has been informed of this information prior to publishing.
The credit card numbers are reportedly stored in plain text, along with CVV numbers. According to the PCI Security Standards website, CVV information should not be stored long-term:
PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized.
Reports of the inclusion of credit card data from Epik’s hack is also doing the rounds on Twitter:
there are soooooo many credit cards in the Epik data leak. In one table I found 35k sets of unique credit card numbers, names, expirations, cvv, billing info. Here's a snippet of redacted numbers and names.
— 🐱 tedder 🐈 (@tedder42) September 18, 2021
All I can say is Epik Webhosting is about to be in some hot water with their PCI Compliance status. They're logging CVV numbers which is a big no-no. I need to go digging for their AOC so I know who to report this.
— NiCk (@technick) September 16, 2021
Global consumer credit expert Experian suggests canceling your credit or debit card if it has been involved in a data breach. Other measures from Experian include checking your bank accounts for suspicious activity and changing passwords.
You can also check whether your email address or phone number was compromised in the Epik hack by visiting HaveIBeenPwned.com. According to that website, over 15 million email addresses are affected by the Epik hack.