“The breach of [domain registrar] Epik’s internal records has cast a spotlight on a long-hidden corner of the Internet’s underworld, and researchers expect it could take months before they can process the full cache — the equivalent of tens of millions of pages. Many are digging for information on who owns and administers extremist domains about which little was previously known,” reports the Washington Post.

“Epik, based outside Seattle, said in a data-breach notice filed with Maine’s attorney general this week that 110,000 people had been affected nationwide by having their financial account and credit card numbers, passwords and security codes exposed. An earlier data-breach letter from the company, filed to comply with Montana law, was signed by the “Epic Security Team,” misspelling the company’s name. An Epik spokesperson said it was a simple typo.”

“Heidi Beirich, a veteran researcher of hate and extremism, said she is used to spending weeks or months doing ‘the detective work’ trying to decipher who is behind a single extremist domain. The Epik data set, she said, ‘is like somebody has just handed you all the detective work — the names, the people behind the accounts…This is like the mother of all data lodes because Epik was at the center of so many of the extremist websites and organizations that people like me study. Epik was the place of last refuge for a lot of these sites,’ said Beirich, co-founder of the nonprofit Global Project Against Hate and Extremism.

“An Epik spokesperson said in emailed statements to The Post this week that the company has handled hundreds of thousands of domains over the years and some are bound to be offensive. The company declined to attribute the statement to a named spokesperson. The Epik spokeperson called the hack ‘an egregious violation against our users’ and said the breached data included up to 38,000 credit card numbers. The spokesperson said the company ‘offers its services to everyone’ and that ‘domains affiliated with right-wing politics comprise less than 1 percent of users.’ Epik said it is not aware of its users’ intents and ‘does not consider its role to be censors of free citizens…Our long-held policy of content neutrality has made our platform appealing to some in an increasingly polarized landscape,’ the spokesperson said. ‘We do not endorse or condone any one particular ideology, and we feel uncomfortable with calls to censor those who use our services.'”

“Some basic details about a website domain’s owner are publicly available in what’s known as a ‘WHOIS’ database [like this link to the ICANN Registration Data Lookup Tool]. But the Epik breach revealed far more than that information. Materials from the hack reviewed by The Post include not just names and home addresses but full credit card numbers, unencrypted passwords and other highly sensitive data. Many website owners who trusted Epik to keep their identities hidden were exposed, but some who took additional precautions, such as paying in bitcoin and using fake names, remain anonymous.”

“Epik provides Web services to many prominent right-wing fixtures online, including the media group One America News, the video site Bitchute, the social media site Gab and the message board Patriots.win [a pro-Trump message board]. Other domains show links to targeted harassment campaigns of journalists or activists, including by falsely linking them to allegations of heinous acts.”

“The role of Epik and other alternative Internet-services companies drew mainstream attention in the aftermath of the ‘Unite the Right’ rally in 2017, when white supremacists who organized online converged on Charlottesville. Until then, domain registrars and Web hosts had traditionally taken a hands-off approach to content unless it involved explicitly criminal activity, Beirich said, but the weekend’s deadly violence sparked calls for tech companies to more aggressively police what they kept online.”