alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[bmugford]

Elliot Silver
@DInvesting
·
50m
In addition to non-customers, some people who won domain name auctions at NameJet / Snapnames had domain names automatically pushed to Epik accounts they may not have had otherwise.

 

[Mister Funsky]

A company I’ve never done business with, and would never do business with, has my personal information on file

I've seen a few posts/twits like this but how is it possible Epik would have ANY personal info of someone they did not do business with 'on file'?

I'm asking a serious question...obviously (if what the person says it true) they at some point signed up for something on Epik or one of its subsidiaries...if not, it just means they are another lonely troll looking for attention.

 

[bmugford]

I've seen a few posts/twits like this but how is it possible Epik would have ANY personal info of someone they did not do business with 'on file'?

I'm asking a serious question...obviously (if what the person says it true) they at some point signed up for something on Epik or one of its subsidiaries...if not, it just means they are another lonely troll looking for attention.

Scraping WHOIS information. As far as I know it contains info like name, email, address, etc. It is certainly not as bad as the customer information that was breached.

Compromised accounts: 15,003,961

Epik does not have anywhere close to 15M customers.

Brad

 

[oldtimer]

No doubt that Epik needs to be held accountable,

But at the end of the day, people still have to decide which direction they want this thread to take:

To Reform

or

To Destroy

IMO

 

[Windoms]

No doubt that Epik needs to be held accountable,

But at the end of the day, people still have to decide which direction they want this thread to take:

To Reform

or

To Destroy

IMO

Sorry but its over.

There's no reform.
Name is destroyed. Do you read whats being said online.
"a very bad registrar that hosts nazis was targeted by anonymous the heros and all their data got leaked".

Reputation is destroyed.
No one wants their domain at a registrar which is targeted by hackers and government agencies of all sorts because of their practice (being a haven for undesirable websites).

Had it been a very large and established company, some straightforward PR and security measures would have mitigated the damage, given their are not dealing with undesirable websites (thats why GD kicks them out).

Epik, being a small company, is done.
Sorry, but there's no way out of this.

Banned by paypal, banned by afternic, most domainers had already left them before this.
Now its everyone, think about those running a business on a domain, think you're gonna risk losing your business through this MASSIVE breach.

Done. You cant mitigate this, the factors pushing against a small company are too great.

 

[bmugford]

No doubt that Epik needs to be held accountable,

But at the end of the day, people still have to decide which direction they want this thread to take:

To Reform

or

To Destroy

IMO

No, all that matters at this moment is Epik taking accountability and doing what they can to mitigate further damage. They need to protect their customer's information and make anyone whole who suffered damages due to their lack of cybersecurity.

We need to know clearly what happened, how it happened, and what steps Epik is taking to fix it and compensate customers for any damages that might be incurred.

If after all this stuff they can rebound, then whatever, but at this point the priority is the customers who have had their data exposed through no fault of their own.

Brad

 

[oldtimer]

No, all that matters at this moment is Epik taking accountability and doing what they can to mitigate further damage. They need to protect their customer's information and make anyone whole who suffered damages due to their lack of cybersecurity.

We need to know clearly what happened, how it happened, and what steps Epik is taking to fix it and compensate customers for any damages that might be incurred.

If after all this stuff they can rebound, then whatever, but at this point the priority is the customers who have had their data exposed through no fault of their own.

Brad

of course "To Reform" starts with taking all the steps that you and others have mentioned so far, but the question is do you want to pull the plug on Epik right now (as some people seem to want to do) or do you want to give them a chance to do the right thing and own up to this situation.

IMO

 

[CraigD]

Elliot Silver
@DInvesting
·
50m
In addition to non-customers, some people who won domain name auctions at NameJet / Snapnames had domain names automatically pushed to Epik accounts they may not have had otherwise.

Also, some NP domainers will only push auctioned domains from one Epik account to another.

 

[bmugford]

of course "To Reform" starts with taking all the steps that you and others have mentioned so far, but the question is do you want to pull the plug on Epik right now (as some people seem to want to do) or do you want to give them a chance to do the right thing and own up to this situation.

IMO

I don't really care. It is not my responsibility to worry about the company of Epik.

I care about as much for Epik when they leak my information as I do for Verizon when they leak my information.

(I am not even sure how I ended up with an Epik account in the first place. It is not like it is something I proactively did. I think it might have been involving some domains I won at auction or purchased from InTrust Domains years ago, before Epik acquired them.)

What matters is the potential damage that has been done to customers, and unrelated 3rd parties.

The ball is in Epik's court to keep people informed and fix it. It is no one else's responsibility.

We still have hardly anything on what actually happened and how it happened.

Brad

 

[johnn]

Why do you want to give them a chance when you run a business and they screwed up with your data and messed up your life?
Do they seem to care?

 

[Jurgen Wolf]

Hackers are just outcome.
Roots/Reasons are their toxic lifestyle and pseudosecurity.

 

[jmcc]

That WHOIS issue is going to bring a lot of attention. It is a major topic within ICANN circles.

Regards...jmcc

 

[oldtimer]

Why do you want to give them a chance when you run a business and they screwed up with your data and messed up your life?
Do they seem to care?

Because I want to remain fair and unbiased and not let my personal feelings affect my judgment.

I would give a chance to anyone who wants to reform their old ways.

IMO

 

[Jurgen Wolf]

Why do you want to give them a chance when you run a business and they screwed up with your data and messed up your life?
Do they seem to care?

It was already discovered and called: Stockholm syndrome.

 

[bmugford]

That WHOIS issue is going to bring a lot of attention. It is a major topic within ICANN circles.

Regards...jmcc

Yes, eventually ICANN might have something to say about this.

I am not sure of what, if any, potential ICANN policies might have been in play here when it comes to scraping, storing, and protecting WHOIS information. I am also not sure how GDPR might come into play with this data.

Brad

 

[jmcc]

Just reading some of the commentary about the WHOIS data on Twitter. It seems that some of those covering the story don't realise that WHOIS data (at least prior to May 2018) was largely public. Many of the e-mail addresses in the scraped WHOIS records would already have been public. What makes the dataset problematic is that the WHOIS record may link the e-mail address with a real-world identity on a large scale for a lot of e-mail addresses.

Regards...jmcc

 

[bmugford]

French magazine Le Monde, just retweeted this hack to their 9.3M followers on Twitter. It is only a matter of time until this is picked up by the true mainstream outlets in the US.

Brad

 

[oldtimer]

Just reading some of the commentary about the WHOIS data on Twitter. It seems that some of those covering the story don't realise that WHOIS data (at least prior to May 2018) was largely public. Many of the e-mail addresses in the scraped WHOIS records would already have been public. What makes the dataset problematic is that the WHOIS record may link the e-mail address with a real-world identity on a large scale for a lot of e-mail addresses.

Regards...jmcc

Is this a problem with Epik only or are there others that are also scraping and storing Whois info.

 

[jmcc]

Yes, eventually ICANN might have something to say about this.

The WHOIS problem is a major topic, Brad,
Some of the discussions have focused on a natural person (individual) versus a legal person (a company) and a potential field in the WHOIS data to identify the registrant type. The natural person's data would not be publically disclosed.

I am not sure of what, if any, potential ICANN policies might have been in play here when it comes to scraping, storing, and protecting WHOIS information. I am also not sure how GDPR might come into play with this data.

The GDPR stuff is a minefield. Arguably, those companies categorising Epik registrants on the basis of their political or religious beliefs using the leaked data may have also broken GDRP regulations.(This is what happens when people with a 16th century understanding of the Internet are allowed to make regulations for it.)

This is the GDPR explanation from the Irish Data Protection Commissioner:
https://www.dataprotection.ie/en/who-we-are/data-protection-legislation

This is the EU explanation:
https://gdpr.eu/what-is-gdpr/

Regards...jmcc

 

[jmcc]

Is this a problem with Epik only or are there others that are also scraping and storing Whois info.

Epik is quite a small player in this respect. There are many others who do it on a much larger scale.

Regards...jmcc

 

[bmugford]

Daniel Hosterman
@dhosterman
It is absolutely wild seeing Epik store CC# in MD5 hashes, often with the first and last 4 digits available, leaving an 8 character, numeric only search space. Helpfully, they also store CVV numbers and addresses, so it's an early Xmas for any industrious young hacker. #EpikFail
10:14 AM · Sep 20, 2021

Replying to
@dhosterman
Can knock one of these out in 1 minute, 23 seconds.

 

[carob]

Just reading some of the commentary about the WHOIS data on Twitter. It seems that some of those covering the story don't realise that WHOIS data (at least prior to May 2018) was largely public. Many of the e-mail addresses in the scraped WHOIS records would already have been public. What makes the dataset problematic is that the WHOIS record may link the e-mail address with a real-world identity on a large scale for a lot of e-mail addresses.

Regards...jmcc

Yes the data was public in 2018 and prior to that others were scraping it - DomainTools.com offer paid
access to historic WHOIS data in their archive.

BUT under GDPR you can only collect data you actually need and keep for as long as the need exists - basically unless there is a case for keeping it, there needs to be a rolling program of deletion. And data subjects have the right to access, correct, and request deletion of all data related to them.

So all EU citizens and residents could contact Epik asking what data Epik holds on them and requesting deletion.

 

[Chris Hydrick]

Why is it that we have the same commenters going on and on and on and on and on and on with hammering Epik on this, and pushing that people get away from them?

Well, somebody has to keep up with the updates. Your first post questioned the validity of the hack, with some ill-research conspiracy theories included.

How many comments have the same people done in this one thread?

Since you're asking, you have two comments in this thread. We're still waiting for your third, Mr(s)Robs.

Have Joey's twitter accounts been closed now? Cant find the ones in your screenshot, one says suspended.
https://twitter.com/yourdaddyjoey

I noticed the same. I suspect the screenshots within the tweets are from Joey's Gab or other media The tweet came from @NatSecGeek who is listed as the co-founder of DDOSecrets, so I assume her tweets to be credible, and not photoshopped.

Here's one more about Joey:::

https://twitter.com/x/status/1439957860289499136

I suppose this is a little more on topic/relevant than Robs1 head in the sand approach, but I wonder how relevant Joey is to this thread besides, possibly being used by epik to harass @Molly White and maybe a few others as it appears Joey had allegedly been paid $2,000 by Mr. Monster. I questioned if I should have included that last tweet, but since it was domain related, and leftover fodder, I posted the tweet for anyone following this Joey drama subset.

twitter bio says “Founder of # Anonymous (yes that one)”

This is why you’re my favorite # websleuth.
RIGHT to the source! Didnt know that easy.

Probably a mediocre fallguy who doesnt know the meaning of Anonymous. enjoy “fodder”

Samer

@Samer --- you know the saying, if you have nothing nice to say, don't say it at all? Well, in this case, if you don't know what you're talking about, the same rule should apply.

https://twitter.com/x/status/1439855488037003265

I know you're against main stream social media, but even you can become world favorite "web twitter sleuth" with this little function on twitter called "search". See below screenshot:

https://twitter.com/search?q=#epikfail namepros&src=typed_query

Or strive to become favorite Twitter sleuth 2.0 (VERY NICE, how much?), when you're ready, you can graduate to twitter advanced search < https://twitter.com/search-advanced?lang=en > . ****Just make sure you read the manual first so you don't break anything.

 

[oldtimer]

Epik is quite a small player in this respect. There are many others who do it on a much larger scale.

Regards...jmcc

So perhaps many of the problems that everyone is focusing on concerning Epik needs to be addressed at a much larger scale.

Hence the need for some Reforms across the board.

IMO

 

[frank-germany]

I know at least 2 domainers there...
Were no complaints regarding quality of their service.

I use them too