Yesterday afternoon, the Have I Been Pwned? platform added the Epik data breach to its database. In doing so, it announced that more than 15 million email addresses were contained in the data, along with other information like addresses and phone numbers:
New breach: Epik had 180GB of data breached last week including 15M unique email addresses (both customers and scraped WHOIS), names, phone nums, physical addresses, purchases and passwords in various formats. 52% were already in @haveibeenpwned. More: https://t.co/ZxJDbStPht
— Have I Been Pwned (@haveibeenpwned) September 19, 2021
There has been a lot to unpack with this data breach, and more details have been shared on various platforms including a long thread at NamePros and quite a few Twitter accounts. You can search Twitter for hashtags like #EpikFail, #EpikHack, or simply search for Epik to see updates from a wide variety of people who seem to have access to the data.
A short while ago, Epik sent out the email below with links to relevant organizations:
Update and Options for Affected Epik Users
We previously notified that on September 15, Epik confirmed a data intrusion involving its customers’ personal information. Though our forensic investigation is still ongoing, we can now confirm additional details of this intrusion.
While we continue to investigate, we believe that on or before September 13, 2021, unauthorized third parties accessed a backup copy of Epik’s domain-side service accounts through one or more non-public servers.
What personal information may have been obtained:
Name, address, email address, username, password, phone and VAT number (if given), transaction history, domain ownership, and for a small subset of users, credit card information.
What we are doing:
As previously stated, we have retained multiple cybersecurity partners to investigate the incident, secure our services, help affected users, and notify you, law enforcement, and other relevant authorities. We are continuing to communicate with relevant authorities and other stakeholders as well.
At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward.
In addition, we will offer free credit monitoring until September 15, 2023, for all affected Epik users; more details on this free service will be made available soon.
Additional options for users:
1. Change your Epik password and enable two-factor authentication by visiting: https://www.epik.com/support/knowledgebase/how-to-reset-password-epik-user-password-when-user-forgot-it
2. Call Epik Toll-Free at 800-510-3282 for further information and assistance.
3. The Federal Trade Commission (FTC) recommends that you place a free fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. This can be done by contacting any one of the three major credit bureaus:
Equifax: equifax.com/personal/credit-report-services or 1-800-685-1111
Experian: experian.com/help or 1-888-397-3742
TransUnion: transunion.com/credit-help or 1-888-909-8872
4. Request a free credit report from each credit bureau after placing a fraud alert on your file. Review these credit reports for any accounts and inquiries you do not recognize, as they may be signs of identity theft. If your personal information has been misused, visit the FTC’s site at IdentityTheft.gov to report the identity theft and obtain recovery steps. Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically so you can spot problems and address them quickly.
5. You may also want to consider placing a free credit freeze on your file. A credit freeze prevents potential creditors from obtaining your credit report, making it less likely for an identity thief to open new accounts in your name. To place a freeze, contact each of the major credit bureaus using the links or phone numbers above. A freeze will remain in place until you ask the credit bureau to temporarily lift or remove it.
6. Visit IdentityTheft.gov/databreach, for additional resources and help to protect yourself from identity theft or call 1-877-438-4338.
7. Learn more about your rights under the Fair Credit Reporting Act here.
8. Contact your local Attorney General or local law enforcement to report suspected identity theft by filing or obtaining a police report.
Thank you for your continued support. We will continue to keep you updated.
Epik Security Team