alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[bmugford]

Epik reported CC info was obtained for "a small subset" of users. The total number of users affected was 110,000. So this 38,000 amount is not really a small subset.

What personal information may have been obtained:
"Name, address, email address, username, password, phone and VAT number (if given),
transaction history, domain ownership, and for a small subset of users, credit card information."​

Data Breach Notification (HTML)
https://apps.web.maine.gov/online/aeviewer/ME/40/68401938-23c3-4279-8bc5-d4782e3cba56.shtml

Data Breach Notification (PDF)
https://apps.web.maine.gov/online/a...fd3-db44-4fd4-b8b8-e2b7285e13e9/document.html

Yes, calling that a "small subset" is grossly misleading in my view.

Brad

 

[Future Sensors]

Yes, calling that a "small subset" is grossly misleading in my view.

That could be the subject of a separate investigation by the state of Maine.

 

[Future Sensors]

The Definitive Guide to U.S. State Data Breach Laws (PDF)

https://info.digitalguardian.com/rs...nitive-guide-to-us-state-data-breach-laws.pdf

 

[jmcc]

A snippet from the article:

The Epik spokesperson called the hack “an egregious violation against our users” and said the breached data included up to 38,000 credit card numbers.

That's a lot of credit card numbers in open circulation.

Regards...jmcc

 

[Derek Peterson]

That's a lot of credit card numbers in open circulation.

Regards...jmcc

Yes, but the real issue how and why did Epik have full credit card numbers, exp dates and codes stored on their servers?!?!?! That is not even legal. I hope Epik and Rob Monster get sued into oblivion.

 

[bmugford]

Yes, but the real issue how and why did Epik have full credit card numbers, exp dates and codes stored on their servers?!?!?! That is not even legal. I hope Epik and Rob Monster get sued into oblivion.

Epik is going to have to answer these questions from the credit card companies. Storing credit card information this way, especially CVV codes, is a major no-no when it comes to pci compliance.

Then downplaying it as a "small subset" of customers. We will see what legal and regulatory authorities might have to say about that as well.

Brad

 

[jmcc]

Yes, but the real issue how and why did Epik have full credit card numbers, exp dates and codes stored on their servers?!?!?! That is not even legal. I hope Epik and Rob Monster get sued into oblivion.

It is certainly going to be a problem. Not sure about the legality of the situation.

Regards...jmcc

 

[Derek Peterson]

Epik is going to have to answer these questions from the credit card companies. Storing credit card information this way, especially CVV codes, is a major no-no when it comes to pci compliance.

Then downplaying it as a "small subset" of customers. We will see what legal and regulatory authorities might have to say about that as well.

Brad

Probably going to have to answer to card holders as well. This is more than incompetence. This is intentional. Just read one story of a realtor getting fired in Florida because of Epik leak. Imagine the dissidents in oppressive nations that have been revealed because of this. I sincerely despise Rob Monster more than I can even express.

 

[Future Sensors]

especially CVV codes

https://blog.pcisecuritystandards.o...ed-for-card-on-file-or-recurring-transactions

 

[bmugford]

https://blog.pcisecuritystandards.o...ed-for-card-on-file-or-recurring-transactions

I would be surprised if these credit card companies did not pull their services.

This appears to be such an egregious violation of pci compliance rules.

PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.

 

[tonyk2000]

CC data is a big puzzle in this story. The original PDF (a link in the beginning, 60+ pages ago) was of opinion that there are no CC details included in the "release". It was unclear whether the hackers deleted those from public release OR they never got them. Later, there were screenshots showing partial CC numbers (without CVC/CVV codes). So, what really happened?

 

[oldtimer]

Your comments have nothing to do with Epik. Your ruining this thread. Go start an icann thread

Why should someone like you who has not been participating in this thread come here and try to dictate to me what I can or can not say.

I can discuss any subject that directly or indirectly has contributed to the current situation and I don't need yours or anyone else's permission to do so.

If my posts are off topic it's up to the mods to say something about it,

But @Paul himself indicated in one of his comments here that having yearly security audits for Registrars and Registries might actually be a good idea and he is a security specialist.

What has happened with Epik is unfortunate, but how do we know that this is not going to happen again in the future if we don't learn any lessons from this experience.

IMO

 

[Derek Peterson]

CC data is a big puzzle in this story. The original PDF (a link in the beginning, 60+ pages ago) was of opinion that there are no CC details included in the "release". It was unclear whether the hackers deleted those from public release OR they never got them. Later, there were screenshots showing partial CC numbers (without CVC/CVV codes). So, what really happened?

From what I understand there have indeed been 38,000 credit card details, full details, leaked BUT I have not seen the data myself as I am afraid the data might be cursed, you know because Rob cursed it and all....LOL. Pretty sad Epik has not made specific public statement about credit cards.

 

[DN Playbook]

There is nothing on their website. Nothing in the blog, or pr section. Just increasing trickle of media reports. Being the owner of BitMitigate, not a lot of mitigating going on. Not even a plan of action? If there is one it should be made public.

But @Paul himself indicated in one of his comments here that having yearly security audits for Registrars and Registries might actually be a good idea and he is a security specialist.

If memory serves, either Paul or someone else made a sensible suggestion that ICANN should enforce that a registrar do security audits (third party) using different companies each time. On their own dime. And if they fail to perform regular audits and something like this happens they lose their accreditation (this sentence I added).

 

[oldtimer]

If memory serves, either Paul or someone else made a sensible suggestion that ICANN should enforce that a registrar do security audits (third party) using different companies each time. On their own dime. And if they fail to perform regular audits and something like this happens they lose their accreditation (this sentence I added).

This is what @Paul said:

Security audits work best when they’re performed regularly by different auditors. There are security auditors who will sign off on lousy security, but if you’re required to go to a new company each time, you’re not going to get away with the security flaws present at Epik for very long. Personally, I would like to see ICANN enforce annual security audits. That’s not to blame ICANN for what happened, but it would be a nice improvement to their policies that would help address the threats we’re seeing today.

I believe that's inline with my suggestion of continuing the third party security tests and evaluations past the initial accreditation requirements and making it a yearly event.

IMO

 

[DN Playbook]

I believe that's inline with my suggestion of continuing the third party security tests and evaluations past the initial accreditation requirements and make it a yearly event.

I think your suggestion is that ICANN do the actual audit. The difference I raised is that the registrar be responsible for that and that the penalty if a serious breach is made for lack of security then the penalty is loss of accreditation. This would incentivize the registrars to keep their security in check while not incurring additional costs and other resources to ICANN. Theoretically, the registrar would be incentivized to do internal checks if they have the skills just to avoid losing their accreditation. In either case, this kind of breach would be avoided. It wouldn't have to be yearly as long as the registrar keeps all their software to the most current updates.

If Epik used the code written by the Russian developer since the purchase of the registrar, this would mean that the PHP version of that code had reached its End of Life a long time ago and was open to exploitation for a long time.

 

[oldtimer]

I think your suggestion is that ICANN do the actual audit. The difference I raised is that the registrar be responsible for that and that the penalty if a serious breach is made for lack of security then the penalty is loss of accreditation. This would incentivize the registrars to keep their security in check while not incurring additional costs and other resources to ICANN. Theoretically, the registrar would be incentivized to do internal checks if they have the skills just to avoid losing their accreditation. In either case, this kind of breach would be avoided. It wouldn't have to be yearly as long as the registrar keeps all their software to the most current updates.

This is what I said:

I believe that ICANN requires those to be evaluated by third parties at the time of accreditation.

What I am saying is that perhaps they need to continue to be reevaluated every year instead of just the one time test that the Registrars have to pass to get accredited originally.

IMO

All security audits have to be done by third parties,

But, I would prefer if they were initiated by ICANN and done by independent third party evaluators that were not connected to the Registrars or Registries in any way.

IMO

 

[oldtimer]

All of your posts have nothing to do with the topic here.
You may want to create a new thread yourself with your own topic.
No one here has the time to worry about what Registrars can do. They should know what to do.
Beside all of your suggestions are not practical and as a customer we don't care and we can't tell them what to do.

Are you going to give up.
I am done with you.

To a neutral observer you are going to come across as if you were affiliated with certain Registrars and Registries and cared more about protecting their interests rather than that of the Registrants. (just saying)

IMO

 

[.X.]

A snippet from the article:

The Epik spokesperson called the hack “an egregious violation against our users” and said the breached data included up to 38,000 credit card numbers.

I would say that statement is correct by the Epik spokesperson . This hacker attacked thousands of innocent people such as myself ,,,

A report on Epik and Rob ... Epik is doing very good... under the circumstances ..Rob is doing great...

 

[DN Playbook]

A report on Epik and Rob ... Epik is doing very good... under the circumstances ..Rob is doing great...

How? Can you specify?

 

[.X.]

How? Can you specify?

I cant specify really ... just letting people know that the register is doing well and Rob is doing good

 

[bmugford]

I would say that statement is correct by the Epik spokesperson . This hacker attacked thousands of innocent people such as myself ,,,

A report on Epik and Rob ... Epik is doing very good... under the circumstances ..Rob is doing great...

Epik's (lack of) security was also an egregious violation of their customer's data. I am pretty sure the people who put their trust in Epik expected better.

Brad

 

[DN Playbook]

I cant specify really ... just letting people know that the register is doing well and Rob is doing good

Well, that is pretty much useless. Why would you even make such a comment? How do you know? And everyone is relieved that Rob is doing good. What a load off.

 

[.X.]

You are pathetic.
1) Monster had no concern for user data privacy as shown by terrible security protocols they used, btw he has never cared about user privacy as I exposed years ago related to his false claims of owning a VPN.
2) It took Rob days to admit there was a hack and he still not admitted in detail the extent of credit card data.
3) He initially lied about the hack by calling it fake news nothingburger.
4) He was storing10 year old data and even full credit card details.
5) All he is done is put a curse on the data.

Rob is a sociopathic nutjob hiding behind delusions of spirituality.

Mistakes were made ... humans make mistakes,,, Mistakes can be corrected ... the mistakes are being corrected ... Epik will be much better for it in the end ...

 

[.X.]

Epik's (lack of) security was also an egregious violation of their customer's data. I am pretty sure the people who put their trust in Epik expected better.

Brad

They did..I did ... but humans aren't perfect ... we learn from the mistakes we make ... Equifax and Canva learned and came back better ... Epik will do the same IMO