alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[branding]

This got political because the hack was politically motivated.

You're probably right. Seen some stuff posted showing the database search history and going from that it does look like they were going after some specific targets.

You can't trust any source right now though.

 

[branding]

This may be a good read for @epik
https://iapp.org/news/a/gdpr-match-up-u-s-state-data-breach-laws/

 

[eternaldomains]

I was asking Paul about my login logs, and it seems that there's no real attempts on actual hacking of my account so far, likely because of me having a "lousy" handregging portfolio deemed too uninteresting to any hacker Either that, or the registrar/s involved isn't/aren't frequently used by members here.

And apparently I found out there's a new inactive member who's username is similar to mine.

But that also means I'll never be able to help pinpoint/exclude any hacked registrar. Chances are, the only ones qualified to contribute on finding out any unknowingly hacked registrars are members who have much more premium names and with different usernames/emails used on different registrars.

Anyway thanks for helping out @Paul !

 

[Beezy]

Just saw this tweet from 2019.

Just be really careful folks. For some reason every 2 pages people keep coming on here to tell you to move your domains INTO epik at this time, which would be a huge mistake.

Not sure what their agenda is but it sure isn't your safety.

 

[Jurgen Wolf]

When you deal with toxic registrar - your personal data and assets are always at risk.
It also affects your sales.
This is what I learned from Moniker and Epik.

 

[The Durfer]

Makes you wonder who we keep company with also. They could be lying dormant at namepros also and just not acting yet. yipes. Hope it gets cleared up soon. scary world we made for ourselves to have to have this element included all the time anyway.

 

[Paul]

Just saw this tweet from 2019.

While not ideal, if that's during registration and the password wasn't supplied by the user, it doesn't necessarily mean that they're storing it in cleartext. In this particular case, though, the relevant data appears to be stored in the form of MD5 hashes, which isn't much better.

Not sure what their agenda is but it sure isn't your safety.

I'm not sure that's a fair assessment. Most NamePros members probably still neglect to use unique passwords even after all our warnings. I really don't think anyone at Epik thought this was possible; they probably just didn't know better, and I strongly doubt other registrars are much better.

That's not to excuse their lack of security or suggest that ignorance is a valid defense, but I really don't think it's fair to say that they don't care about their customers' safety.

They could be lying dormant at namepros also and just not acting yet.

It's possible but unlikely. Everything can be hacked, and NamePros is no exception, but we invest an awful lot in security. Every company should assume that they can get hacked and should be prepared for that eventuality. Any company claiming to be invulnerable either lying or delusional--and probably has terrible security.

A healthy approach to security requires anticipating and planning for the worst, even when attacks are successfully thwarted. These are conversations we have on a regular basis at NamePros, and I would strongly encourage other companies to do the same. It keeps us on our toes. If we had a "days since Paul last pointed out internally that all companies get hacked and we should plan for that eventuality" counter, it would be at 8.

 

[Jurgen Wolf]

The primary quest is not "HOW" but "WHY" to hack you?
Why to hack NamePros for example, what motivation or benefits from this hack???

 

[eternaldomains]

While not ideal, if that's during registration and the password wasn't supplied by the user, it doesn't necessarily mean that they're storing it in cleartext. In this particular case, though, the relevant data appears to be stored in the form of MD5 hashes, which isn't much better.

Was checking archive.org on anonymize.com's registration page. The password for anonymize is user-inputted. However, Epik's registration email from my inbox in 2018 doesn't contain any password, only email.

The primary quest is not "HOW" but "WHY" to hack you?
Why to hack NamePros for example, what motivation or benefits from this hack???

Here's one I can think of: To impersonate high profile users and scam others into giving super premium names/money

 

[ixex]

I have nothing against Rob but the big mistake that he made was mixing between business and politic.

Common mistake. Established businesses going into politc. My family went through that. Divided the family and business partners. Better now, but wounds are still not healed.

 

[eternaldomains]

The primary quest is not "HOW" but "WHY" to hack you?
Why to hack NamePros for example, what motivation or benefits from this hack???

Credential stuffing attacks on other registrars also another

 

[Paul]

The primary quest is not "HOW" but "WHY" to hack you?
Why to hack NamePros for example, what motivation or benefits from this hack???

Why not?

We get hit with attacks all the time. In most cases, the motive appears to be financial gain: hijack accounts, get personal info, and use that to steal domain names, or some variation on that tactic. Sometimes people are mad that we banned them. Sometimes it's ego. Sometimes there's no clear motive.

We're a forum--to the average hacker, that makes us look like low-hanging fruit. We have users with lots of valuable assets, and most forums don't know the first thing about security. Once they realize we're on top of matters, they usually move on to easier targets.

A handful are more persistent and always seem to know when I'm on vacation.

 

[Jurgen Wolf]

I don't store any personal info on NamePros.
My city is the only one.

 

[Paul]

I don't store any personal info on NamePros.
My city is the only one.

Usually they just want to know whether people use the same password across multiple websites. They'll take passwords from a breached third-party website and check whether they can log into NamePros. If they can, they'll use that info for other nefarious purposes.

That's why you get captcha'd if you tried to log into NamePros more than once in a short period of time.

 

[Silentptnr]

@Paul

I have domains at epik that I must renew. Is it safe in your opinion to input my credit card?

I wish they would extend renewals due now for free based on the situation.

 

[tonyk2000]

I don't store any personal info on NamePros.
My city is the only one.

Date of Birth seems to be obligatory. If one is using correct and unique one here @ NP and on, lets say, Dynadot (one of their default security questions) - there may be issues should either system be hacked.
@Paul wouldn't it make sense to make this field editable? In current environment, one should probably use different DOB info for each online service that asks for it ;-()

 

[Paul]

I'm talking about the captcha: you are human or robot...
It asks me daily, when I turn on my PC and visit NamePros.
I banned it.

I don't think that's NamePros. You can't "ban" ours--you won't be able to log in if you do. I'm not sure what you're seeing there.

That sounds like the Cloudflare one, which our logs indicate you shouldn't be triggering in the first place. I'd appreciate you sending me more info about that privately so I can figure out what's wrong.

Is it safe in your opinion to input my credit card?

I don't know. I wish I had a better answer for you, but I don't.

@Paul wouldn't it make sense to make this field editable?

We use it to restrict access to various sections, so we can't really have people going around changing it on a regular basis. You can contact support to change it, though.

 

[Mister Funsky]

I have domains at epik that I must renew. Is it safe in your opinion to input my credit card?

I know this was not directed at me but thought I would share what I've done.

Actually, over the years I have done both ways to follow. One is to call and make a one time card charge (few hundred) and have them add it to my Epik store account. The second way is to go to one of their banks and make a counter deposit into an Epik account. In the second case you simply send them an email with pertinent data and they add that to your Masterbucks account.

 

[Silentptnr]

I know this was not directed at me but thought I would share what I've done.

Actually, over the years I have done both ways to follow. One is to call and make a one time card charge (few hundred) and have them add it to my Epik store account. The second way is to go to one of their banks and make a counter deposit into an Epik account. In the second case you simply send them an email with pertinent data and they add that to your Masterbucks account.

Thanks

 

[Silentptnr]

I don't think that's NamePros. You can't "ban" ours--you won't be able to log in if you do. I'm not sure what you're seeing there.

That sounds like the Cloudflare one, which our logs indicate you shouldn't be triggering in the first place. I'd appreciate you sending me more info about that privately so I can figure out what's wrong.



I don't know. I wish I had a better answer for you, but I don't.



We use it to restrict access to various sections, so we can't really have people going around changing it on a regular basis. You can contact support to change it, though.

Thanks

 

[draco]

Some credit cards offer a virtual / one time credit card number that ties to your account. You use it once and then it's no longer any good. You might want to see if any of your cards offer it.

@Paul

I have domains at epik that I must renew. Is it safe in your opinion to input my credit card?

I wish they would extend renewals due now for free based on the situation.

 

[The Durfer]

While not ideal, if that's during registration and the password wasn't supplied by the user, it doesn't necessarily mean that they're storing it in cleartext. In this particular case, though, the relevant data appears to be stored in the form of MD5 hashes, which isn't much better.



I'm not sure that's a fair assessment. Most NamePros members probably still neglect to use unique passwords even after all our warnings. I really don't think anyone at Epik thought this was possible; they probably just didn't know better, and I strongly doubt other registrars are much better.

That's not to excuse their lack of security or suggest that ignorance is a valid defense, but I really don't think it's fair to say that they don't care about their customers' safety.



It's possible but unlikely. Everything can be hacked, and NamePros is no exception, but we invest an awful lot in security. Every company should assume that they can get hacked and should be prepared for that eventuality. Any company claiming to be invulnerable either lying or delusional--and probably has terrible security.

A healthy approach to security requires anticipating and planning for the worst, even when attacks are successfully thwarted. These are conversations we have on a regular basis at NamePros, and I would strongly encourage other companies to do the same. It keeps us on our toes. If we had a "days since Paul last pointed out internally that all companies get hacked and we should plan for that eventuality" counter, it would be at 8.

ty i agree, and we should not go to the internet as consumers and think it is a state of utopia either. We should be just as defensive as the big companies, it just causes conflicts in corners that is all.

 

[Bob Hawkes]

I don't think this link (below) has been posted in thread. It is important to realize that, unfortunately, many large businesses have been hacked. It is one of the major issues of our times.

Much of recovery success depends on response and communication.

This gives details of some security breaches, including year of breach, number of accounts, and in many cases the information gathered. Among the names are Facebook (multiple times), Adobe, DropBox (more than once), Marriottt, Canva, Zoom, Uber, eBay. LinkedIn, Yahoo (multiple times), Equifax, CapitalOne, Quora, HomeDepot, etc.

https://www.upguard.com/blog/biggest-data-breaches

This is NOT to make light of situation if it is as claimed. Just to point out, unfortunately, data breaches are a fact of modern life.

Bob

 

[Beezy]

READING NOW:

https://techcrunch.com/2021/09/17/epik-website-bug-hacked

Web host Epik was warned of critical security flaw weeks before it was hacked.

 

[Beezy]

Holy f....

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed Monster had read the message but did not respond.

Leo told TechCrunch that a library used on Epik’s WHOIS page for generating PDF reports of public domain records had a decade-old vulnerability that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.

“You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.

Leo ran a proof-of-concept command from the public-facing WHOIS page to ask the server to display its username, which confirmed that code could run on Epik’s internal server, but he did not test to see what access the server had, as doing so would be illegal.

It’s not known if the Anonymous hacktivists used the same vulnerability that Leo discovered. (Part of the stolen cache also includes folders relating to Epik’s WHOIS system, but the hacktivists left no contact information and could not be reached for comment.) But Leo contends that if a hacker exploited the same vulnerability and the server had access to other servers, databases or systems on the network, that access could have allowed access to the kind of data stolen from Epik’s internal network in February.

“I am really guessing that’s how they got owned,” Leo told TechCrunch, who confirmed that the flaw has since been fixed.

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”​