IT.COM

alert Epik Had A Major Breach

NameSilo
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
As for potentially spoofed emails from E, as well as to "leaked" addresses in general.

The following may be helpful to combat phishing:
1) How to get email headers:
https://mxtoolbox.com/Public/Content/EmailHeaders/
2) Understanding An Email Header:
https://mediatemple.net/community/products/dv/204643950/understanding-an-email-header
3) IP address check and extra details:
https://bgp.he.net

Epik dot com appears to be using "quarantine" DMARC [Domain-based Message Authentication Reporting and Conformance] Policy, which means that the following _should_ happen if somebody tries/tried to spoof "From" epik email:

If the email receiver has a quarantine mailbox, this is where the message will be delivered. It will then be up to the administrator of the mailbox to decide if the email gets delivered or thrown away.

I would not count on it though. It the hackers are still in (they changed epik support page once) - then they may also be able to send emails "from" epik addresses using legitimate channels. Who knows...
 
4
•••
It is possible to check if my credit card data(number, CVC, name,address, and other details) from epik account was compromised?

Are there any already known attempts to withdraw money from cards that fell into hands of cybercriminals as a result of epik.com hacking?
 
Last edited:
3
•••
Did anyone receive a suspicious looking mail allegedly from E?

Got 1 apparently from "maychen" @ E with super suspicious title "follow up". Sounds like a spammer/scammer with spoofed email address but I'm not sure.

Just got off live chat on Epik. Turned out to be legit. Just an email asking me stuff just because I was transferring out many names.
 
4
•••
It is possible to check if my credit card data(number, CVC, name,address, and other details) from epik account was compromised?

Are there any already known attempts to withdraw money from cards that fell into hands of cybercriminals as a result of epik.com hacking?

no attempts of unauthorized use of financials have reported yet to my knowledge ..
 
0
•••
1
•••
No, that's a research account.

I know more than I have posted .. but I am not prepared to release it yet

Edit by moderator: removed inappropriate content
 
Last edited by a moderator:
2
•••
I know more than I have posted .. but I am not prepared to release it yet

Please enlighten us... If this is as big as an issue for you as you make it out to be.
 
1
•••
Please enlighten us... If this is as big as an issue for you as you make it out to be.

I will enlighten you on my time .. not yours .. I can not release certain discovery at this time .. I will release it once it is processed
 
2
•••
I know more than I have posted .. but I am not prepared to release it yet
You don't know the difference between an anti-fascist research account and a hacker. You can't just accuse the most prominent related account of being the person who did this, unless you have some evidence that is.

Your behaviour, and the behaviour of others here since I've joined, has been incredibly unprofessional, very ironic for a site called "NamePros". Before I go I want to thank those of you who took me seriously and appreciated my contributions. To those of you who couldn't respect me because I don't respect your favourite corporation, I hope you seriously consider your behaviour in this thread, because I don't believe history will look upon your actions here favourably.

Game over, thanks for playing.

Content removed by a moderator.
 
Last edited by a moderator:
7
•••
I will enlighten you on my time .. not yours .. I can not release certain discovery at this time .. I will release it once it is processed

So... Not backed up by any verifiable data ATM?
 
2
•••
0
•••
Every person can download files and see what's what, share and exchange information. If you follow up the entire Internet (vs Twitter, FB etc), you'll find that all/most of so-so sensitive data is already posted - everywhere.
 
Last edited:
5
•••
1
•••
Why is it that there is so much attention being given by the activists and researchers to the Epik's so called unsavory customers, but all the other registrars and hosting companies that cater to all kinds of other unsavory customers and bad actors are being ignored.

I would guess this has a lot to do with notoriety. Every service provider will on occasion have customers misuse their services and host some unsavory content. But that is completely different from actively courting them and espousing or promoting their views.
 
0
•••
Temporarily closing the thread until the moderators catch up.

We don't allow threats on NamePros, including vague, ominous threats of doxxing.
 
13
•••
As a reminder:

I want to make it very clear at this point that we will not be permitting personal attacks against researchers.

We're not going to allow vague accusations like that here. I know it's commonplace on Twitter, but it's not appropriate for NamePros.

Address the claims within each post, not the person or account behind those claims.

Warnings have been issued. If it continues, restrictions will follow.

Please stay on topic.
 
15
•••
Domain drop catching is still a problem this days?

(Edit: I was going to elaborate, but pressed the post button trying to quote something. Maybe Karma cause I was laughing at Monster muting himself all the time in the Q&A. I'm interested in how the Epik Fail data could be used to dropcatch domains. And also in the fact that InTrust Domains was a dropcatch company and it's dev team was developing dropcatch tools before being aquired by Epik.

...
Rob Monster, YT0:11:05: It’s me. I tried to mute the new person but I muted myself, that’s me. So when we… this will sound funny. When this breach occurred, I think for many of our top engineers this was the first time they saw the code. And that sounds really stupid, but the history of Epik is that we acquired a company called IntrustDomains back in 2011. Let me give you the story. So 2009, Epik gets started. We’re like a domain name asset management company, we set up these websites, we figure out ways to create content, put them on exact match domains, and then Google indexed them and they made a lot of money because Google used to weight the domain name very highly in their algorithm. And then like in 2010, like around October, there was Google Panda and they kind of took the punch bowl away, and our business model was just trash. Actually in the fourth quarter of 2010 and in the first quarter of 2011 we actually had negative revenue because we were reimbursing people who had bought sites from us that were not making money because Google deindexed all of them. And so I had to make a decision do I fold the tent and shut down Epik, or do I retool and come up with a new business model? So I didn’t draw salary for a long time. We made a decision that a client, or a supplier, that we were working with at the time called IntrustDomains based in Colorado Springs, they were providing software for drop catching. So when the domain name expires you drop catch it. They were providing us with drop catching services. But their customer service was atrocious, and so I flew down to Colorado Springs, talked to Ken Palm who’s the founder and owner, and I said, “Ken, you guys are really, really bad at customer service. Why don’t you sell me your registrar and let me run that registrar?” And so he agreed, and he didn’t charge me a ton, and so we bought that company, and it came with a Russian development team. So this was 2011, I think. June 2011.

(...)

Monster, YT0:13:49: So we ended up acquiring this company, and it came with a Russian dev team. At the time they were based in the Ukraine, or in the Crimea region. Then there were wars and then they moved to Krasnodar, and they’re based there. They’re pretty talented, but the legacy codebase of the early Epik… [reading the chat. Full comment from chat was from “JorgeOrwell”: “So you bought some shitty russian code and never fixed it? MD5s. Rob common (sic) man”] Yes, shitty Russian code. We bought some shitty Russian code and we actually didn’t really have an opportunity to evaluate that code until we finished, until we really took control over everything. If you look, if you go to Epik Labs, epik.com/labs, we have a full catalog of a lot of other things that we’ve been developing."

(...)

Monster, YT1:28:37: Yeah, I agree it was bad. Absolutely. And if you missed it, the developers that we got from the Russian team, they’re kind of captive. A dev team that’s captive. They’re not Epik employees, the legacy Russian dev team. They’re part of our team, they’re part of our culture, I trust them implicitly, they’re like brothers. Many of them are Christians. And you know, we have Jews, we have Muslims, that’s not a statement, I’m just saying that we have some common code of conduct. And they’ve been great, they’ve always been honorable, fair. They’re smart, diligent, call them at three in the morning to get out of bed, do whatever. But I think now that we’ve seen the code, a bunch of stuff’s gonna get rewritten.
 
Last edited:
0
•••
This thread is slowly "dying". Which is an expected outcome imo, as, basically, everybody already said what they wanted to.

As a curiousity, I checked social networks and, to my surprise, found that "epik fail" theme is quite active there. Why is this? Why such a contrast?

Namepros is very niche forum with a relatively small number of active participants, at least in comparison to social media like Twitter.

This is drawing the interest of other much larger fields than domain investing such as cybersecurity, legal, business, etc.

There has not been much more info released on the breach by Rob or Epik, so Twitter is going to fill in the gaps. It will continue to gain more steam on social media as millions have been effected by this data breach, and an army of people are essentially crowd sourcing their findings. As time goes on more and more is going to be discovered.

Brad
 
Last edited:
4
•••
Last edited:
3
•••
Last edited:
0
•••
2
•••
Domain drop catching is still a problem this days?

(Edit: I was going to elaborate, but pressed the post button trying to quote something. Maybe Karma cause I was laughing at Monster muting himself all the time in the Q&A. I'm interested in how the Epik Fail data could be used to dropcatch domains. And also in the fact that InTrust Domains was a dropcatch company and it's dev team was developing dropcatch tools before being aquired by Epik.
The big problem with the Epik data breach is that people may be unfamilar with the terminology or the methodology of the domain name business. The numbers of the large-scale Domain Tasting era (where domain names would be registered for the five days Add Grace Period, tested for their pay per click advertising revenue and deleted if they weren't making money without the registrar having to pay for them) are in the free to read pages on Amazon (Chapter 2 - Money for Nothing) of the Domnomics book in my signature. Over a billion (1,000,000,000) domain names were registered and deleted in .COM over a few years. InTrust Domains (if it was Domain Names International Inc) was not one of the main registrars during that time. The combined gTLD figures for the registrar for some of the peak Domain Tasting months are quite low.

Month - Total Domains - New - Deleted - Deleted Grace
|200704 | 2556 | 70 | 21 | 2 |
| 200705 | 2454 | 48 | 17 | 1 |
| 200706 | 2436 | 58 | 10 | 2 |
| 200707 | 2363 | 44 | 10 | 2 |
| 200708 | 2299 | 44 | 22 | 5 |
| 200709 | 2286 | 38 | 8 | 1 |
| 200710 | 2224 | 52 | 19 | 1 |
| 200711 | 2163 | 31 | 16 | 0 |
| 200712 | 2083 | 18 | 10 | 20 |

Compared with one of the main players, Belgium Domains LLC in the same period:
Month - Total Domains - New - Deleted - Deleted Grace
| 200704 | 603695 | 37025 | 1690 | 11183568 |
| 200705 | 552273 | 30346 | 589 | 1693704 |
| 200706 | 579352 | 35344 | 558 | 11845015 |
| 200707 | 608907 | 33067 | 1266 | 1344979 |
| 200708 | 631581 | 31285 | 1489 | 14956845 |
| 200709 | 633637 | 39904 | 2924 | 1002185 |
| 200710 | 655115 | 51136 | 2977 | 779980 |
| 200711 | 632726 | 6528 | 12289 | 4754135 |
| 200712 | 578462 | 0 | 7233 | 0 |

A drop catch is a domain name that has been deleted and reregistered just after being deleted. There were networks of registrars specifically created to target deleting domain names. If the domain name hadn't a waiting customer or could not be sold within the five day AGP window, it was dropped again. Not all of the deleted grace domain names were dropcatch domain names but a lot were. The .ORG was, at one stage, having each day's entire set of deleted domain names being taken by dropcatcher registrars. There are around 2,500 ICANN accredited registrars. Of these, only 600 or so are retail registrars. Most of the rest are dropcatch registrars.

The simple explanation for dropcatching is that it starts with the WHOIS record. There were quite a few of those in the Epik dataset. A WHOIS record will have the creation date for the domain name, its expiry date and its last modified date. When you have that data, you know when a domain name is up for renewal and likely to drop if not renewed. The first step is as simple as extracting the domain name, the creation date and the expiry date from the record and putting it in a database table. That creates a kind of watch list.

Then there is a kind of qualification of the domain name. Not all domain names are equal so the potentially high value ones are short domain names, one word domain names or domain names that contain potentially valuable phrases. There's another type where someone owns a similar version of the domain name. If a domain name has a working website and with a lot of links to it, it becomes more valuable because a website on the domain name after it is reregistered will still get traffic. That traffic could be monetised.

Dropcatching software is relatively simple but can be computationally intensive at the upper scale. In 2011, Google changed its algorithms. Unfortunately for Google, it labours under the premise that they are the smartest guys in the room. While its new algorithm took out a lot of the low hanging fruit, it did not really affect the drop catching business. It still continues to this day.

There is dropcatching software available that can run on a desktop or laptop. The main constraint is the number of people trying to catch the deleting domain name. This is where the dropcatcher with the largest number of registrars has the advantage. These registrars can send hundreds of requests to the registry for the domain name as it deletes. Some individual domainers get lucky with dropcatching but a lot of the good domain names go to auction on sales sites run by the industrialised dropcatchers. Epik is not a major player in this part of the market as its focus is primarily retail registrations.

Regards...jmcc
 
Last edited:
9
•••
2
•••
Back in the Washington Post -

https://www.washingtonpost.com/technology/2021/09/25/epik-hack-fallout/

“This is like the mother of all data lodes because Epik was at the center of so many of the extremist websites and organizations that people like me study. Epik was the place of last refuge for a lot of these sites,” said Beirich, co-founder of the nonprofit Global Project Against Hate and Extremism. “And as the data is analyzed and looked at more deeply, we’re going to see this ecosystem in a way that was simply not possible before.”

Beirich said the identities of administrators and web developers and “the money flow” — how the sites stay afloat — are the kinds of details that for years have challenged even the most veteran hate trackers. The Epik hack might help connect the dots, she added.


Lots of other interesting stuff in this article as well, such as -

Epik also has a corporate overlap with VanwaTech, a company that, according to online records, has provided Internet services to the neo-Nazi site Daily Stormer and 8kun, the central node for spreading conspiracy theories central to the QAnon ideology.

Epik bought BitMitigate, a cybersecurity service that was protecting the Daily Stormer from online attacks, from VanwaTech’s owner, Nick Lim, in 2019. Though Epik reportedly severed its relationship with the neo-Nazi site, Lim became chief technical officer of Epik for a time while maintaining his ownership of VanwaTech, based in Vancouver, Wash.

Lim told The Post he remains a partial owner of Epik, and in a Bloomberg profile of Lim, he called Monster “a kind of mentor.” But an Epik spokesperson said the company “does not currently have a relationship with VanwaTech or its owner.”


It is pretty bad to ever have had any relationship with Nick Lim. It is well known what he stands for.

Brad
 
Last edited:
10
•••
"Epik, based outside Seattle, said in a data-breach notice filed with Maine’s attorney general this week that 110,000 people had been affected nationwide by having their financial account and credit card numbers, passwords and security codes exposed. An earlier data-breach letter from the company, filed to comply with Montana law, was signed by the “Epic Security Team,” misspelling the company’s name. An Epik spokesperson said it was a simple typo."

https://www.washingtonpost.com/technology/2021/09/25/epik-hack-fallout/
 
1
•••
Back