alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[MadAboutDomains]

INSTANT KARMA!!

​

To people like this that genuinely think they're on the right side or have a virtuous position because of some opposing "beliefs" that they think are "more correct" I do feel sorry for you... It reflects more on you than it does anyone else. I'm assuming that this is where you're coming from and not just that you want them to fall cause you had bad customer service or something...

The hackers are not in the right, they're not virtuous, they are more scummy than how they see those they purport to be attacking and if true they're affecting lots of people that also don't deserve it. It's clear from the stupid little message that they left how ideologically driven they are.

I feel sorry for you as this is your reaction to this, you're not a worthy member of a nice community like this imho where you are amongst those that will be affected. Revelling in other people's misfortunes is not a good look.

 

[Paul]

How many domainers does it take to save a drowning man? Three:

1. One to say he was conservative and therefore had it coming
2. One to say a liberal pushed him into the water
3. One to tell the other two to knock it off

He still drowns.

Unless you have new, useful information to share in order to help your fellow domainers, knock it off.

 

[Paul]

Since we're continuing to see political arguments in this thread, let's get one thing straight: Anonymous is a movement that favors chaos. It's a loose collection of people who believe they have transcended morals, religion, and politics, and they do not care what ideological stance they take as long as it makes people angry. They'll say whatever they need to say to justify it as hacktivism.

These are not people for whom ideology is a motive; rather, it's a tool. Their mentality is that the universe is nothing but a game and their purpose is to ruin the fun for everybody. They will take whatever ideological stance opposes their target. And they'll relentlessly harass anyone who gets in the way or points out that the only real goal is chaos.

Controversial targets are easy targets: the victims point fingers while the hackers wallow in the chaos.

Don't fall for it.

 

[FiniteCrystal]

Could you summarize some of the things you already discovered and/or confirmed?

Sure. I don't remember every interesting thing I've taken a peak at, but I have talked about most of it on my Twitter. Some of my Tweets were already embedded above, but I'll go over everything again.

• The Epik API database includes tables with backordered domains, both pending and delivered, dating back to 2010
• The PowerDNS database includes tables with domains, resource records, and historical resource records for every zone that was ever hosted at Epik's nameservers.
• There are two MyDNS databases that seem to contain similar data to the PowerDNS database, but for InTrust Domains before Epik acquired them, and perhaps Epik's shared hosting service respectively. (UNCONFIRMED)
• The Epik API database includes a table with every domain modification operation that was performed through Epik's control panel. This includes every uncloaked, real whois entry Epik ever had for every domain that was ever registered with them. No Anonomyze here. This data dates back to 2011
• In the same API database there is also a table that appears to include logs and responses for commands Epik was sending to the registry's EPP Proxy. I don't know how much of this there is or what's in it.
• There is a mail redirection database that appears to contain every email address that was in Epik's mail forwarding system. I believe this data is from the (free?) basic email forwarding service, and includes domains, alias addresses, and destination addresses. Catch-all forwarding too.
• Epik's Anonymize dot com service offered a paid "anonymous" email service. The mailbox table includes mailbox addresses, usernames, and passwords in plaintext. Information about which mailboxes are owned by which customers isn't stored in one table, but it is very easy to associate a mailbox with the invoice that payed for it, which includes customer's name, billing email, physical address, partial credit card numbers, CVV codes and more. Basically, it wasn't anonymous at all.
• There is a table that contains domains, usernames, and passwords for Epik shared hosting accounts. I speculated that this was how the hacker logged in and defaced the Texas GOP's website. I confirmed that there was an entry in that table for texasgop dot org
• There is a table that appears to include every domain that was ever in the cart system on Epik's website. People on Twitter speculated that they were storing this information for front-running purposes, but I'm skeptical of that for a few reasons.
• I found a table that included mailer logs for all of the registrar related emails that Epik sent out, including domain expiration notifications. The data wasn't for all time or anything, I don't remember what the start and end dates were, but it was mostly in 2020. Oddly, one of the columns in this table indicated that Epik has been Bccing ALL of these emails to an account on a seemingly random domain that is operated by one of their customers. I looked up the domain's invoice and it was paid for by a customer in Russia. I am willing to provide more info about this domain if it's allowed here.
• There is a table with all of the invoices for Epik's registrar. I haven't investigated this table very much, only used it to look up who was paying for a few domains. I know it includes at least domains, customer names, billing emails, physical addresses, and payment information of some description. I used this table to look up the information mentioned above.
• There is another email related table. I believe this table was used for Epik's paid email hosting for domains that were registered with them. The table includes mailbox names, usernames, passwords, alias addresses, and destination addresses.
• There is a table with redirect stats for domains that were using the (free?) URL forwarding service. It includes the redirected host, target URL, and click counts.
• There is a table with log data from Epik's marketplace website. I didn't investigate it thuroughly, but at the very least it seems to contain records of all search requests that were submitted to the marketplace.
• Epik's shared hosting service appears to have had 6 servers, 4 of them used the same username and password for the API that the main website used to communicate with them. The two that used different credentials included one that used a different username only, and one that used a different password only.
• There's a table where they logged a bunch of registrar actions during a period from the end of 2014 to some time in 2015. This table includes tons of domain availability checks among other stuff.
• There is a supposed "domain info cache" table that doesn't contain a massive amount of data, but does contain a large number of scraped whois records from domains that weren't registered at Epik. I suspect this is where at least some of the emails of non-Epik customers which haveibeenpwned users were so surprised about came from.
• I don't think I posted this on Twitter, but I remember finding a table that appeared to contain fairly detailed logs of every request that was sent to Epik's parking service. I can look this up again if anyone is interested.

That's everything I can think of. If anyone has any further questions about the stuff above or wants me to look for something specific, I'll be keeping an eye on the thread. My messages are also open.

(edited: fixed my bulletpoints)

 

[Rob Monster]

Please don't tell me what to do. Every one of your posts is just like the last ...you repeat yourself ad nauseum. You called my last post pitiful. Well guess what? I won't lose any sleep, considering the source.

More criminal activity...

Amazon-owned Twitch breached by hackers who reportedly leaked everything from creator payouts to an unannounced Amazon digital game store.

• • The source code for Twitch and creator earnings numbers were reportedly included in the hack.

That's Google, the universal texting service, and Amazon all in today's news. Maybe it's time to start cutting Epik and Rob Monster a little slack.

I'd like to point this out as proof that it doesn't matter how good the security is or is not. Determined criminals will commit crimes.

I'm sure that Google and Amazon have world class security . If these hackers are out to get you they're going to get you.

For all of you spouting off about unsalted this and that... How many of you really understand what you're saying and not just parroting the few here that really do?

I think it's time that we get behind our industry and support the little guy. I remember when GoDaddy was run by Bob Parsons. It was actually not a bad company. You want to lose people like Rob Monster? Be prepared for lack of innovation and the highest possible prices. People like Rob give back to our industry and force competition. You don't have to like him. But you don't need to resort to wishing ill on anyone or becoming an angry mob.

Were flaws exposed? Yup. But if you want to beat Epik to a bloody pulp, you have to be ready to judge all others just as harshly. Or be a hypocrite.

So what is the common denominator? Open your eyes. The real problem here are the hackers. If they can take down the safety of the Chrome browser, all your texting, and amazon, how does the little guy stand a chance?

I'm not saying to love Epik or Rob. Free will prevails. But support your industry and give them a Fighting Chance. They know where they've gone wrong now. Let them try to fix it.

As for communication google tried covering up their issues. The texting service waited 5 years to let it be known. Rob has issued statements which I am sure are in accordance to what he's being advised to do. I can't speak for him. But as open and sharing, even verbose as he is I'm sure he would love to let us all know what he's thinking and what's going on. My guess is he's acting on the advice of counsel. Just a guess

I want to thank @internext for this very reasonable and kind statement.

I also want to take this opportunity to apologize to the domain community for this incident. Regardless of whether this incident was at Epik or a trusted 3rd party vendor, the buck stops here.

Cybercrime is an immense problem.

The news this week about many cybersecurity incidents involving numerous trusted brands and billions of unique personal records, serves as a reminder that cybersecurity is a global challenge.

We believe that blatant criminality will not be tolerated whether it be Google/Twitch, Facebook, Pandora Papers, Neiman Marcus or Epik.

Looking ahead, I believe the industry needs to come together. We don't have to agree on every topic. I hope we can all agree that truth matters.

As for Epik, we are hard at work making Epik a better company. We have a compelling mission. We have remarkable people. We have capable advisors. Most of all, we have loyal customers.

The protection of customer assets has always been our commitment. We are investing heavily in making sure that we stay true to that commitment in 2021 and beyond, while continuing to innovate and lead.

And so I thank you for your patience and support as we lay the groundwork for building an even better Epik!

Thank you.

Robert Monster
Founder and CEO
Epik Holdings Inc.

 

[korganian]

IMHO this is the time to support Epik and Rob. Not fly off the handle and post endless negative comments and abandon Epik. The reason that I say that is because Rob has donated more of his time and money to help all domainers than anyone else, as far as I am aware. I have never heard Rob discriminate against or have ill will towards anyone else because they have a different political view or religion than he has, but those same people turn around and condemn Rob just for saying he will pray for them!!! Rob's comments like "Blessings to you all" and "creating abundance for all" show he is the exact opposite of the lies the left are using to smear him and Epik all over the internet. Just please use you own brain to see though the propaganda being used to discredit an honest person who is actively trying to make the world a better place and has the courage to oppose the tyrants who are a serious threat to the liberty of each and every one of us.

 

[Paul]

Once again, enough with the flame wars. People are busy trying to figure out how to respond; they don't want to read through pages of the same arguments that have been taking place for years--it's not helpful.

 

[Paul]

I know who registered the domain that the Bccs were going to, I will share that information if it's expressly allowed by a mod.

We'd rather this not turn into that sort of thread. There's going to be no shortage of such discussion taking place elsewhere, but NamePros is focused on domain investing. Many of our members are worried that their life's work may now be in jeopardy as a result of this incident.

I know Epik makes for great political news elsewhere, but that controversy has played out incessantly here for years. Most of us are tired of it. Everything that could possibly be said has been said, and there's really not much more to add. The threads now just devolve into flame wars.

An aspect to consider for people outside the industry is that Epik is renowned for their hands-on support. Regardless of what anyone may think of their politics, Rob and his team have a reputation for bending over backwards to help their customers, regardless of political affiliation (or lack thereof). For the most part, Epik has been a stellar example of perfect customer support, and I think even their detractors here would largely agree with that. That context is important to keep in mind when assessing the reactions from our community.

It would be best if this discussion headed toward remediation: what should our members do? What do our members need to worry about, and what's not worth worrying about?

 

[johnn]

I have nothing against Rob but the big mistake that he made was mixing between business and politic.

 

[Derek Peterson]

@Derek Peterson maybe the hack cost epik more than we thought since they are defaulting payments to sellers for sales made
Someone posted in one of the 275 epik threads here @Kirtaner got raided by feds and it had to do with epik. I dont remember what thread. Can someone find that twitter screenshot i think it was?

Interesting. I'm going to go and look into the Kirtaner info. We are continuing to update our article that kind of documents the whole sequence of events so as more info is revealed we will continue to update.

Yeah, maybe his "investors" pulled out of the deal after hackers and all of us revealed that epik was all smoke and mirrors and Rob is not an honest person. I just did a search for his name on twitter and tons of people complaining about epik service and payouts. I bet that new CEO is like, what did I do...lol.

https://providencepost.com/a-monster-of-epik-proportions/

 

[NickB]

INSTANT KARMA!!

​

Let's not start this sh%t just yet - I am not a fan of Epik, I have been moving my domains gradually out this year.....there are people who use them who do not have the same same views as them, think about that before gloating......

 

[Paul]

I would really like to hear from who I think are the two of the top smartest people on these topics on this forum, @Paul @Michael

It does appear to be real. There's an awful lot of data and I don't have time to comb through it all right now, but here's what I've seen so far for Anonymize users, which is a smaller, more approachable dataset than the registrar data:

1. Passwords hashed with MD5
2. Plaintext passwords (appears to be a small subset, possibly staff)
3. PII, including full physical address, name, email, and phone number

There is probably quite a bit more data--this is just what I've glanced at so far for Anonymize.

The data does not appear faked or generated. There is accurate information that I would not expect to be public or widely known. cc @Lox

We're anticipating a significant increase in credential stuffing attacks as a result of the weak password hashing.

 

[Paul]

I want to make it very clear at this point that we will not be permitting personal attacks against researchers. Whatever you may think of Epik, there was an immense degree of irresponsibility here, and it makes no sense for us to grant any degree of tolerance to personal attacks against the people trying to analyze the data.

They are doing our industry a favor by investing their time into enumerating a massive dataset. It's hard to relay just how much text fits in 150 GB. It would be different if it were mostly photos or videos, but text takes up far less space. If we were to combine all of the text on NamePros, it would barely put a dent in 150 GB.

 

[Paul]

@Rob Monster, my duty is, first and foremost, to the NamePros community. As a security professional, I am skilled in analyzing breaches and am qualified to offer my opinions on the matter. That is my job.

I fully understand that this is not an easy situation for you to be in, but I have an ethical responsibility to offer assistance when and where I can. If I have made any factual errors, you are free to offer evidence to the contrary.

Your customers, many of whom participate here, are scared and looking for guidance. Vague threats toward professionals who are attempting to help them is not a healthy component of incident response.

 

[labrocca]

FYI, I just saw the admin account with password 123. That doesn't appear to be an actual internal account. Doesn't seem to have admin perms set, was never a verified email account, and looks like someone simply joined as name "Epik Admin". I see no evidence it's an actual active administrator account with permissions. I also don't see the context for what system it is. It could just be a test admin on a test system. I make those with password of "password" sometimes.

And I do think Epik was wrong in some of its data storage. Passwords as plain text? IMHO there is never a reason to do that. On my own large site I basically did a data purge so good that if the site is hacked minimal damage will occur. I want to actually encrypt even IP's but it's a real hassle. Maybe one day. You can't really encrypt data like email and still maintain effectiveness because of things like a PW reset would have to search the DB. You'd still need a key locally that if found could unlock the entire DB anyways. So even with full encryption it's possible to get owned. Works with PW's only because it's data the server itself never needs to understand what it is. Just that the encrypted PW matches the entry from the member login. Not sure if what I am saying is obvious to people or over their heads. I been a sys admin 20 years. Never sure what level the people around me are at.

Ultimately, PW's in plaintext was unnecessary and bad.

Also note I know the VPN developer that sold it to Epik. I wouldn't be shocked if he's behind the hack. He has a history. But it's probably hacktivists that target Epik over politics.

Was all data indeed from a backup, including the many historical .ovpn files?

You can normally tell by reviewing the data when it was grabbed and possibly even the location. Example is my own backups don't include all tables because more than a few are either empty or memory tables (likes sessions) which don't require a backup. A good admin can tell (yes, a good admin wouldn't store PWs in plain text either).

I'm starting to think that Epik should better sell the business asap.

Why would they do that? If you're a customer and you lost confidence you can move. I really really doubt based on what I know about Rob that he'll just give up his hard work because of an embarrassment. This stuff happens to a lot of businesses. Rarely do CEO's resign or the business fail. Chipotle restaurant nearly killed dozens of people and they are still in business. So your CC was exposed, someone knows your address or your name, so freaking what? Everyone acts like they are living in a bubble and that they're doing something so secret that no one can know. Meanwhile the CIA and FBI can track you daily on your phone all they want. Jeez.

Perspective people. Registrar's #1 priority for me is for my domains not to get stolen. Raise your hand if this caused your domain to be lost.

Whois was public data for decades. Changed because of GDPR and the perceptions of privacy. Someone wants to get your identity, they will get it.

My Question is.... As most of these sites left Godaddy for Epik .... where there other hosts that they could have used aside from epik ?? The controversies seem to revolve around Godaddy giving the boot to these sites

I can speak from experience that getting registrar booted over your LEGAL content is a real pain in the ass. Your site can go offline indefinitely simply because your Registrar has some policy about the morals of your content even if it's 100% legal. Most registrars have a huge ToS/AUP with language basically giving them the right to shut you down. It's inconvenient and there isn't a lot of large US based Registrars that you can trust to be censorship free. Epik happens to be one of them.

btw, I was using a secured email that was ONLY for Epik. Experience has taught me that your security starts at your domains.

The only way to have a positive ending to this situation is to use this opportunity to bring some reforms to Epik and to the domain Industry at large

The reform is blockchain based domains. When browsers begin to include things like the .eth registry it will get interesting. We won't need centralized registrars anymore.

This data breach involves millions of people's information that have never done business with Epik, due to them scraping WHOIS.

So you're complaining that public data they scraped has been leaked? You need to think on that a moment.

Name is destroyed. Do you read whats being said online.
"a very bad registrar that hosts nazis was targeted by anonymous the heros and all their data got leaked".

Epik isn't hosting any Nazi's. Anonymous aren't heros, heck they aren't anything because they don't exist. I can with a straight face make the claim that I am posting this as a representative of Anonymous. I been threatened so many times by "Anonymous" that it's a joke to me.

Reputation is destroyed.
No one wants their domain at a registrar which is targeted by hackers and government agencies of all sorts because of their practice (being a haven for undesirable websites).

Definitely a tarnished reputation. Destroyed though? I am not so sure. I have seen worse situations where companies have recovered. Maybe wait and see what Epik does before calling them destroyed. Rob does have an opportunity to make amends, for changes, and new security. Basically imho he gets one chance to do the right thing. Also, Epik isn't targeted by "government agencies". I am sure if LE/FBI sends Rob a subpoena for information he is obligated to provide it and does so. Rob would be in a prison if he didn't, and he ain't, so...

Epik, being a small company, is done.
Sorry, but there's no way out of this.

Ever heard of the saying that there is no such thing as bad publicity?

Banned by paypal, banned by afternic, most domainers had already left them before this.

What's their domain numbers from 2 years ago compared to today?

No, all that matters at this moment is Epik taking accountability and doing what they can to mitigate further damage. They need to protect their customer's information and make anyone whole who suffered damages due to their lack of cybersecurity.

Unfortunately you can't undo a leak. The damage is done. Their priority now should be securing, altering policies, and then providing full disclosure on how this happened and what steps are being taken to prevent it from happening again. What do you think is going to "make anyone whole who suffered damages"? If you want some type of monetary reward you have to sue for damages and actually prove the damages. I don't see how that's going to happen when no domains were lost. Not saying this won't turn into a class action because lawyers love to find ways to sue. This might end up being costly for Rob.

I care about as much for Epik when they leak my information as I do for Verizon when they leak my information.

Oh yeah, Cox got me and all I ended up getting was an apology letter even though because of their systems someone had harassed me for months and that my family did indeed suffer mental anguish over it. But Cox just said oops and moved on. I wasn't gonna pay a lawyer $50k to go after them.

Why do you want to give them a chance when you run a business and they screwed up with your data and messed up your life?

How have they messed up your life? Holy mackerel isn't that over-stated a bit? Again, NO DOMAINS LOST.

"Epik a company that presents itself as the swiss bank of domains, accepts almost all clients, with a marked preference for the far right."

That's such propaganda. When you run a business like Epik you don't really care who your customers are as long as they are legal and don't violate your terms. I'm sure if Democrats and Marxists wanted domains at Epik he would treat them the say way. That's actually why Rob is in trouble politically because he simply doesn't believe in censorship. How novel an idea that in America you get to say unpopular things. Do you guys forget that Trump got censored and banned basically at every popular social media site? You okay with that? And being the Swiss Bank of Domains imho isn't a bad analogy, the Swiss are neutral.

I do hope that Rob uses this as a teaching moment that he has to run his business with more care. Getting into personal fights even if someone else picks them means you will lose every time. You have to take the high road. Your skin has to be thick. Ignoring the crap is your best weapon. Run your business.

Cancel culture is such BS. Since when did the freedom of the internet become the ability to cancel speech you don't like? No one should be cheering this.

 

[Paul]

Rob ain't a coder. I tend to doubt he has the technical expertise to properly project manage his company.

The lapses in security were reportedly brought directly to his attention on multiple occasions, including once by me. He was made aware that his team wasn't doing their job and does not appear to have reacted appropriately.

As an industry, we need to make it clear that ignorance is not an excuse for such poor security practices. If you are being repeatedly informed that there are security issues, and you proceed to cut off communication once you're told that, you're no longer acting in good faith.

 

[MapleDots]

Monster is paying the price of talking too Much NONSENSE here and in his new Domain Forum acquisition several months ago, I cant name that WORTHLESS domain forum, but everybody knows it for SCAMMING PEOPLE years ago with previous owner (A. D*cker AKA DnSCAMMER ).
Monster and his BAD BAD Investment decisions... he bought the Wrong Domain Forum and messed up with the Wrong Persons...​

OMG, really?

There is only one wrong here and that is the hackers

Are you telling me that if you disagree with a business they deserve to be hacked?

 

[bmugford]

Wow I have been out of the loop on this, just caught up to the last post.

This is the type of attack the left loves to see, as you can witness from the relentless commentary of those on the left everywhere, their foundation of hatred is shown when one of their adversaries suffers a loss of any kind. The left wants total control of speech in a hegemonic way, and if you think Epik getting attacked like this is good, you are likely an authoritarian that belongs to that group of individuals. Liberty ends when speech is controlled, that's why we must fight with everything we have to ensure companies like Epik survive. Domains are the last frontier for our liberty worldwide, no doubt they will be attacked relentlessly.

The good thing is this, domains are a strong frontier. These tools are way stronger than any social media handle individually, and that's what we have to remember when we see a whole registrar come under attack in a coordinated effort. This is a WAR and the losers always play dirty.

As far as Auth codes go, you can just lock your domains and the auth codes won't matter. You can also have the domains "super locked" to prevent fast transfers inside your account, should you need that extra layer of security. Although I haven't been at Epik since the beginning of July, I don't see how this breach will affect domain names at all. It sounds like the person who wrote the description of the breach has little knowledge of how domain names truly operate.

The Epik tech team is highly skilled and competent, worked together with them for almost 2 years and I can say they are incredible human beings from the work they do every day. The only thing this attack will yield is a higher level of competence for that team, I have no doubt about it. I say that as a non-employee customer.

Blah Blah Blah.

Left, Right, Center it doesn't matter. Epik just like any other company is tasked with protecting sensitive data.

From all reports, in this case they seem to have failed. That has nothing to do with politics.

Additionally, allegedly storing much of this information in plaint text? Come on.

Epik, and anyone associated with Epik, needs to address the actual concerns regarding the disastrous data breach, instead of trying to turn it into some political bullshit.

Brad

 

[Paul]

You didn't make any factual errors, you made fun of the fact that he put a curse on the data too many times.

I'm fairly certain I haven't even done that. I've been sticking to facts and analyses that are pertinent to domainers. It's normal for people who find themselves in Rob's situation to make statements that aren't ideal. There are plenty of other people pointing it out to him; there's no reason for me to join that crowd.

What I will not tolerate are vague threats toward people attempting to respond to the situation as best they can with the information at hand and assist others in doing the same. That is blatantly detrimental to his customers.

 

[DanSanchez]

Wow I have been out of the loop on this, just caught up to the last post.

This is the type of attack the left loves to see, as you can witness from the relentless commentary of those on the left everywhere, their foundation of hatred is shown when one of their adversaries suffers a loss of any kind. The left wants total control of speech in a hegemonic way, and if you think Epik getting attacked like this is good, you are likely an authoritarian that belongs to that group of individuals. Liberty ends when speech is controlled, that's why we must fight with everything we have to ensure companies like Epik survive. Domains are the last frontier for our liberty worldwide, no doubt they will be attacked relentlessly.

The good thing is this, domains are a strong frontier. These tools are way stronger than any social media handle individually, and that's what we have to remember when we see a whole registrar come under attack in a coordinated effort. This is a WAR and the losers always play dirty.

As far as Auth codes go, you can just lock your domains and the auth codes won't matter. You can also have the domains "super locked" to prevent fast transfers inside your account, should you need that extra layer of security. Although I haven't been at Epik since the beginning of July, I don't see how this breach will affect domain names at all. It sounds like the person who wrote the description of the breach has little knowledge of how domain names truly operate.

The Epik tech team is highly skilled and competent, worked together with them for almost 2 years and I can say they are incredible human beings from the work they do every day. The only thing this attack will yield is a higher level of competence for that team, I have no doubt about it. I say that as a non-employee customer.

 

[Paul]

While I'm generally willing to give Epik and Rob the benefit of the doubt, this tweet in particular does not sit well with me:

I reported a vulnerability both to Rob and the responsible developer on February 19, 2020. Neither responded (full size image for legibility):

I understand that it can be difficult to find good developers. I also understand that it can be even more difficult to find good security professionals. That's why I go out of my way to report vulnerabilities and offer my input when it can help people. I believe all security professionals have an ethical responsibility to report vulnerabilities when they become aware of them, and I was willing to do that in this scenario even if it compromised revenue for NamePros.

I certainly hope Epik has learned from this and will take such reports more seriously in the future.

 

[Paul]

To add onto what @FiniteCrystal found, as I've been focusing on data that could be a direct security risk to NamePros and its members:

• Epik seems to have a had a habit of storing unstructured, serialized PHP objects throughout the database that contain a wealth of problematic info, including security questions/answers and complete, uncensored credit card info.
• There's an indication that a lot of passwords (or hashes) were removed by the attacker prior to publishing the data. This is concerning, as that data may be released by the attacker later.
• Failed login attempts appear to have been stored with plaintext passwords included.

 

[DAN.COM]

Isn't this something that many registrars do? That "save your credit card for easier future transactions"? Good thing I don't use Porkbun anymore, they force you to to have at least 1 saved and if removal is wanted, you have to contact them. Aren't almost all registrars considered as violators of this rule?

No online platform that takes card payments serious stores it locally. At Dan for example, we store zero card information in our own database. We pass the information to Adyen and they store it as they are the experts in keeping that data safe. So having your card information stored somewhere isn't the problem but how and by whom it's stored is important to know.

 

[Paul]

The hacked data is a old backup the reason for many non related to Epik accounts, that data is old it gets renewed/replaced and only some crumbles of value remain to hackers. Then hackers take helium and inflate a fairy tale baloon on (Twitter) which explodes with a simple needle leaving some rubber to play with.
Want to be on safe side (?) reissue your CC, it takes only one week for me and you get new numbers which are no longer in the data, that is how old gets renewed, go make a coffe and forget.

Since most of this pertains to technical information that I can personally check, I'll address the claims here:

• The hacked data does not appear to be particularly old. The data cuts off between February and March of this year.
• The backup contains credentials--we call these SSH keys--that could likely have been used compromise live systems, and it's entirely possible that the hacker did so prior to releasing any data publicly. It also contains various API keys which carry a similar risk.
• Casting aside whatever may be happening on Twitter, the leak contains a lot of data that was stored inappropriately or should not have been stored at all.
• There is no shortage of sensitive data in the leak.
• Much of the valuable data (in the monetary sense) appears to have been redacted by the hacker. They probably still have that data, and it remains to be seen what they'll do with it.
• Epik was also storing a lot of sensitive data in an unstructured manner. The hacker appears to have neglected to redact this unstructured data. It includes a lot of credit card numbers, personal information, and plaintext passwords--in many cases, information that should not have been stored in the clear. This is serious, and you should change your password on other websites if you use the same password elsewhere.
• There isn't much difference between compromising a full backup of this caliber and compromising a live system. For the most part, they contain the same data, and compromising one could easily lead to compromising the other.
• The breach exposes that Epik's security and privacy practices were effectively nonexistent: even the most basic security practices weren't followed in many cases. This would have been unacceptable for any registrar, but given that Epik's selling points were security and privacy, it's especially disappointing.

It seems to me it isn't Kirtaner who needs reminding this is a professional forum.

I don't think it was intended to be a threat; I think it was legitimate confusion. I considered removing the post, but I wanted to give @Kirtaner a chance to respond and set the record straight. I'm not too concerned at this point, but I don't want the thread to escalate into yet another flame war with personal attacks.

There are probably going to be some offensive questions asked without the intent to offend. (Some may also be intended to offend.) As long as @Kirtaner is okay with that and is interested in answering them, we'll try not to stand in the way.