alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[jmcc]

Well, there is really no ambiguity in that clause. It clearly says "shall" provide it within 7 days, not might, could, etc. Shall is compulsory language.

So if ICANN does not have the report yet, they are clearly in violation of that contractual clause.

I would expect for ICANN to take a potential breach of their contract seriously, especially when it comes to this level of data breach. Hopefully for Epik's sake, they have submitted that report as contractually required.

Brad

It should. But there is no requirement that I can remember that says that it has to publish the correspondence (report). Normally it publishes contract breach notifications and termination notices. If Epik is in breach of its contract with ICANN there may be some published correspondence about it. There are steps before a registrar's accreditation is terminated and these things can move relatively slowly.

Regards...jmcc

 

[Derek Peterson]

There are plenty of security/IT experts quoted in this thread. Lawyers could easily reach out to those parties for clarity or more information.

Brad

Never mind.

 

[bmugford]

Never mind.

My issue really is a legal firm needs to put in the work if they want to make money off it.

All the information is out there. This thread has consolidated a lot of valuable information from Twitter as well.

It is hard to have a better starting point.

If this law firm is not willing to put in the work, they might not be the right one to handle it.

Brad

 

[Derek Peterson]

The firm has expertise in this field, as stated on their website. Trust me, they have people who can interpret the technical side of this.

No. Currently the "hackers" have published nothing official. Just a bunch of randos posting "owning" gloats and making claims.

 

[branding]

No. Currently the "hackers" have published nothing official. Just a bunch of randos posting "owning" gloats and making claims.

The leaked data is widely available so not hard to confirm any made claims as you know exactly what and where to look for in the dataset.

 

[Kirtaner]

No. Currently the "hackers" have published nothing official. Just a bunch of randos posting "owning" gloats and making claims.

Typically with breaches like this it is up to the media and InfoSec analysts to pour over the details and publish them; hackers' narrative can be coloured. The job was left to those who can give this unbiased and disconnected perspective, obviously, which is the correct decision here.

 

[Future Sensors]

All the information is out there. This thread has consolidated a lot of valuable information from Twitter as well.

My guess is that this data breach case is going to be part of university classes. It will be researched thoroughly at all levels. From engineering to legal, from marketing to management studies. Publications will follow along the road, such as https://journals.sagepub.com/doi/full/10.1177/14614448211045662

 

[bmugford]

It should. But there is no requirement that I can remember that says that it has to publish the correspondence (report). Normally it publishes contract breach notifications and termination notices. If Epik is in breach of its contract with ICANN there may be somple published correspondence about it. There are steps before a registrar's accreditation is terminated and these things can move relatively slowly.

Regards...jmcc

One interesting thing about that is ICANN is still based in US, headquartered in California and subject to California courts.

California Attorney General Xavier Becerra stepped in over the .ORG deal with ICANN, which lead to a delay then played a major role in the rejection of the deal.

It would be interesting if during an investigation or lawsuit, ICANN's records about this were subpoenaed.

Brad

 

[Derek Peterson]

Typically with breaches like this it is up to the media and InfoSec analysts to pour over the details and publish them; hackers' narrative can be coloured. The job was left to those who can give this unbiased and disconnected perspective, obviously, which is the correct decision here.

Hopefully that will happen in the future, I guess it is still early, but until it does I doubt any lawyer, ICAAN or and credit card processor will take any action and Epik will surely try their best to ignore, deny and carry on.

 

[mr-x]

From the ICANN Registrar Accreditation Agreement.

https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

3.20 Notice of Bankruptcy, Convictions and Security Breaches. Registrar will give ICANN notice within seven (7) days of (i) the commencement of any of the proceedings referenced in Section 5.5.8. (ii) the occurrence of any of the matters specified in Section 5.5.2 or Section 5.5.3 or (iii) any unauthorized access to or disclosure of registrant account information or registration data. The notice required pursuant to Subsection (iii) shall include a detailed description of the type of unauthorized access, how it occurred, the number of registrants affected, and any action taken by Registrar in response.

Do you have any idea if this agreement was fulfilled or ignored?

 

[bmugford]

Do you have any idea if this agreement was fulfilled or ignored?

I have no idea. Epik has provided no real update in weeks, and the first update they did provide has since been deleted from Twitter.

Brad

 

[Derek Peterson]

Epik will build back better.

Hard to be worse.

 

[tonyk2000]

The leaked data is widely available so not hard to confirm any made claims as you know exactly what and where to look for in the dataset.

It all depends on the lawyer(s) and their financial motivation imo. Will lawyers download all the torrents? What their next step would be? Are they aware what a torrent file is, or what to do with a disk image (2nd and 3rd leaks)? Not too likely. I'd guess that, from practical point of view, they will just check what Epik itself submitted to relevant authorities (breach notices), calculate potential $$$ income for the law firm, and act accordingly.

 

[mr-x]

I have no idea. Epik has provided no real update in weeks, and the first update they did provide has since been deleted from Twitter.

Brad

But there has been national coverage. We don't know if they are working with ICANN but that is most likely.

I can't help notice people keep bringing the same subject over and over. It's not like it's in epik's best interest to reveal what is happening. I would think law enforcement would tell them not to.

 

[jmcc]

One interesting thing about that is ICANN is still based in US, headquartered in California and subject to California courts.

California Attorney General Xavier Becerra stepped in over the .ORG deal with ICANN, which lead to a delay then played a major role in the rejection of the deal.

That intervention killed the sale.

It would be interesting if during an investigation or lawsuit, ICANN's records about this were subpoenaed.

It would be interesting if it was possible. It is a legal question though and there are multiple jurisdictions involved.

Regards...jmcc

 

[jmcc]

they will just check what Epik itself submitted to relevant authorities (breach notices),

Just to clarify this in respect to ICANN correspondence, a breach notice is when ICANN informs a registrar or registry that it is in breach of its contract with ICANN. Epik or its lawyers have to file breach notices about the databreach with various state or national authorities. All these breaches and breach notices get a bit confusing after a while.

Regards...jmcc

 

[bmugford]

But there has been national coverage. We don't know if they are working with ICANN but that is most likely.

I can't help notice people keep bringing the same subject over and over. It's not like it's in epik's best interest to reveal what is happening. I would think law enforcement would tell them not to.

It was not in Epik's best interest for Rob to hold a disastrous 4 hour video call, but that happened.

It is also not in Epik's best interest for Rob to send multiple whiny, preachy emails to Paul complaining about NamePros, but that happened.

I am not giving Epik the benefit of the doubt, after seeing how they secured customer's data and after their initial actions of trying to downplay these events.

The fact they have deleted their initial breach notice to customers on Twitter makes it even worse.

Deleted Tweet -

https://web.archive.org/web/20210925231337/https://twitter.com/EpikDotCom/status/1439020408783654917

 

[marijuanadomain]

More indepth bad news about epik

https://www.kuow.org/stories/seattle-now-an-epic-hack-of-online-extremists

Good listening news

yeaaaaaaa

 

[Future Sensors]

they will just check what Epik itself submitted to relevant authorities (breach notices), calculate potential $$$ income for the law firm, and act accordingly.

I don't think it's that kind of company. Their track record is good.

https://chimicles.com/case-results-map/

 

[branding]

It all depends on the lawyer(s) and their financial motivation imo. Will lawyers download all the torrents? What their next step would be? Are they aware what a torrent file is, or what to do with a disk image (2nd and 3rd leaks)? Not too likely. I'd guess that, from practical point of view, they will just check what Epik itself submitted to relevant authorities (breach notices), calculate potential $$$ income for the law firm, and act accordingly.

I haven't looked into the specific firm but I suppose if they have some tech experience it wouldn't be too hard. It's not rocket science once you've got pointers where to look. Any hobbyist can do it.

Going through everything if you don't know what you're looking for, yes. That's a lot of work and takes some advanced skills.

 

[Derek Peterson]

Thanks setting things in the clear.
Then I hope everyone will do what @Derek Peterson did.

I'm sure many thread readers would love to hear your perspective on the current situation.

Feds are mostly scumbags also, when no crimes exist they are always happy to create some, even when it involves human trafficking and porn. Best option is to make a video or document in some way and cut them off. When stripe watched my video on gab porn they cut off gab and with no payment processor gab had to shift grifts away from the porn and loli. Feds can't fund honeypot like that directly. Hard to stop low moral feds in their dumb operations but you can manipulate them into doing less harm.

Yeah, I agree most of these hacker types are feds. They might not think they are but if they working with the feds to entrap and expose then they are feds in my book. IMHO it is all meant to incite left vs right paradigm so they can control all. Look at the people they use, the demon hacker guy dresses up like the perfect evil villain for the right to point at and right has goofballs doing hitler salutes and "nazi" websites like gab, which was started by a Jew, Indian and a Turk or Parler, which is owned by a Jewish family but they are all some how "nazi" sites. It is all just created drama to manipulate people. Good people rise above the drama and fear porn and focus on helping other human beings.

 

[mr-x]

It was not in Epik's best interest for Rob to hold a disastrous 4 hour video call, but that happened.

We've all agreed it was a mistake, I'd call it disastrous. Certainly no reason to repeat that mistake.

It is also not in Epik's best interest for Rob to send multiple whiny, preachy emails to Paul complaining about NamePros, but that happened.

I imagine he is under a lot of stress. Rob is an eccentric personality during the best of times. He has no business doing P.R. or talking about what is happening.

I am not giving Epik the benefit of the doubt, after seeing how they secured customer's data and after their initial actions of trying to downplay these events.

I'm not suggesting you give them the benefit of doubt. Just be realistic about what they can / can't say. I wish Rob would hire an experience spokes person but I don't expect that would satisfy his critics.

The fact they have deleted their initial breach notice to customers on Twitter makes it even worse.

Brad

OK.

 

[bmugford]

We've all agreed it was a mistake, I'd call it disastrous. Certainly no reason to repeat that mistake.

I imagine he is under a lot of stress. Rob is an eccentric personality during the best of times. He has no business doing P.R. or talking about what is happening.

I'm not suggesting you give them the benefit of doubt. Just be realistic about what they can / can't say. I wish Rob would hire an experience spokes person but I don't expect that would satisfy his critics.

OK.

The truth is Rob, and not many others, have ever dealt with this level of data breach. It is almost unprecedented in nature.

If Rob can't make a detailed statement about the breach because of legal reasons, he needs to say that. If he deleted the tweet because he was advised to, he needs to say that.

Otherwise, the silence is damning and looks like they are just trying to ignore it and move on like it was business as usual.

When you are deleting tweets, and providing no updates it doesn't look good.

Brad

 

[mr-x]

The truth is Rob, and not many others, have ever dealt with this level of data breach. It is almost unprecedented in nature.

If Rob can't make a detailed statement about the breach because of legal reasons, he needs to say that. If he deleted the tweet because he was advised to, he needs to say that.

You're right, we don't even know if epik deleted the tweet. I suspect they didn't because there is no upside to deleting it. If they admit that, things would look even worse. Just speculation.

Otherwise, the silence is damning and looks like they are just trying to ignore it and move on like it was business as usual.

When you are deleting tweets, and providing no updates it doesn't look good.

Brad

 

[Derek Peterson]

You're right, we don't even know if epik deleted the tweet. I suspect they didn't because there is no upside to deleting it. If they admit that, things would look even worse. Just speculation.

What are you talking about? Of course Epik deleted the Tweet. If the hackers hacked Epic's twitter account I'm sure they would have done something more entertaining than just delete the notification tweet.