IT.COM

alert Epik Had A Major Breach

Spaceship Spaceship
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
i would guess epik was a safe haven for people living under oppressive regimes makes you wonder if this leak is gonna cost people their lives in the literal sense ? 12 year old videos in syria of someone protesting is enough to get him the death penalty imagine a leak that indicate you run an opposition website sheeesh..
 
Last edited:
1
•••
Interesting new development in the Epik hack:

Apparently Epik and Rob have been helping the Feds for several years.
Complying with court orders and subpoenas isn't exactly helping the Feds as such. It would, I think, be a legal requirement. Law enforcement agencies can make such requests under various pieces of legislation and a registrar in the US has to comply. Registrars in other jurisdictions would also have to comply with court orders in their jurisdictions. Perhaps some people with a greater knowledge of the US legal system can clarify the process for these requests/orders.

Regards...jmcc
 
Last edited:
7
•••
i would guess epik was a safe haven for people living under oppressive regimes makes you wonder if this leak is gonna cost people their lives in the literal sense ? 12 year old videos in syria of someone protesting is enough to get him the death penalty imagine a leak that indicate you run an opposition website sheeesh..

Exactly, that is my real issue with this whole thing. Rob is terrible human that should not ever be trusted.
 
0
•••
Complying with court orders and subpoenas isn't exactly helping the Feds as such. It would, I think, be a legal requirement. Law enforcement agencies can make such requests under various pieces of legislation and a registrar in the US has to comply. Registrars in other jurisdictions would also have to comply with court orders in their jurisdictions. Perhaps some people with a greater knowledge of the US legal system can clarify the process for these requests/orders.

Regards...jmcc

I know it pretty well, as I stated in my post those are examples of actions with subpoenas, allegedly there are many, many more with no subpoena, just Rob getting back at people he doesn't like. I figured he was doing that and that is why I left many years ago when I saw him for what he is.
 
0
•••
@Derek Peterson i wouldn't go that far derek ^^ i personally like rob he was always super nice to me and helpful but that doesn't mean the breach never happened in my book or to shift the blame to someone else. epik made a huge mistake that will probably cost people more than money..
 
1
•••
@Derek Peterson i wouldn't go that far derek ^^ i personally like rob he was always super nice to me and helpful but that doesn't mean the breach never happened in my book or to shift the blame to someone else. epik made a huge mistake that will probably cost people more than money..

yes, but Rob has history of this. years ago he was touting a VPN that he claimed to own and had total control of and assured everyone they would be perfectly secure using his service. he was lying, it was a white label product that he was simply reselling. I called him out for it because I was worried about his users and he responded by calling me names, threatening me with court actions and even "judgement day" for simply telling the truth. He doesn't care about others. Be a man, just because he was "nice to you" doesn't mean he is a good guy.

Edit by moderator: removed name calling and rule reminder sent.
 

Attachments

  • epik threats reply.png
    epik threats reply.png
    213.7 KB · Views: 136
  • monster threats.png
    monster threats.png
    214.5 KB · Views: 132
Last edited by a moderator:
2
•••
What makes you think i am not participating? Because i dont post endlessly off topic. I have read it all gramps, i have forgotten more than you will ever remember. I will continue reading, and by thanking, liking or disliking, i will be able to participate without endless irrelevant posts. This is out of my control, i am taking care of what i can at this end. Thanks Rob for opening my eyes. May God bless you and all those you love Amen

You haven't contributed anything of value (or substance) that is relevant to these discussions.

It's not your job to judge if my posts are on topic or not.

If you believe that I have made an inappropriate post you can report it to the Mods and let them deal with it, but if you want to take it upon yourself to limit or curtail my right to participate in these discussions then it's your actions and posts that are going to be off topic and that are going to continue to interfere with the discussions in this thread.

You don't need to reply if you are going to infringe on my rights further by trying to limit my participation in this forum.

IMO
 
Last edited:
0
•••
CC data is a big puzzle in this story. The original PDF (a link in the beginning, 60+ pages ago) was of opinion that there are no CC details included in the "release". It was unclear whether the hackers deleted those from public release OR they never got them. Later, there were screenshots showing partial CC numbers (without CVC/CVV codes). So, what really happened?
It seems that the CC numbers were saved for logging suspicious and fraudulent transactions. It doesn't make sense to me why they need to store so much information about them (especially since their payment gateway likely has a copy of the data), but the data includes the first 4 digits and last 4 digits of the CC number, the expiration date, the CVV code, and the billing information about the user.

There is another location that contains CC numbers (first 6 digits and last 4 digits), but it seems to be InTrust data from before the Epik acquisition. The transactions are only from 2009 and 2010.

A third location contains full CC numbers, but there are only 16 of them, and they are also from around the same time period.

Speaking of logs, it seems like a huge waste for Epik to store so much information for logging purposes. One table I see has almost 35 million entries. Do they really need to keep detailed logs from over 11 years ago?
 
8
•••
First - I think the topic here is:
Epik Had A Major Breach
We don't need to waste time to discuss how to help Epik or Rob.

If they don't know how to run a business except Spamming everywhere then they will be out of business. This apply to any business not just the Registrars.
Second - There are 2 types of hacking -
- Using DDOS which bring massive traffic to the site to take the site down (which is not in this case)
- Or going to the backdoor and download Customer Data and exposed them to the public or sell them to the black market. So the owner will not even know that the site is hacked until the hacker tells them.
The site is running OK does not mean it's not being hacked.
And a suggestion for someone who keep posting off-topic posts: You can go ahead and create a thread yourself and not coming here wasting time and confuse people.
 
Last edited:
9
•••
It seems that the CC numbers were saved for logging suspicious and fraudulent transactions. It doesn't make sense to me why they need to store so much information about them (especially since their payment gateway likely has a copy of the data), but the data includes the first 4 digits and last 4 digits of the CC number, the expiration date, the CVV code, and the billing information about the user.

There is another location that contains CC numbers (first 6 digits and last 4 digits), but it seems to be InTrust data from before the Epik acquisition. The transactions are only from 2009 and 2010.

A third location contains full CC numbers, but there are only 16 of them, and they are also from around the same time period.

Speaking of logs, it seems like a huge waste for Epik to store so much information for logging purposes. One table I see has almost 35 million entries. Do they really need to keep detailed logs from over 11 years ago?

Again, MAJOR violations when it comes to PCI compliance, especially related to the CVV codes.

 
Last edited:
5
•••
3
•••
Proof? Is the site still up and running ? is the site doing business ? you want pertinent information that Epik cant share at this time... remember ... Investigations are ongoing ... do you have any reports of the data being used for criminal activity ?? CC use or ect ?? None have been reported that i have seen as of right now

Check your email if you are a Epik customer ... They said they are working on the exploits

I don't need to provide any damn evidence to say that Epik is doing fine and under the circumstances Rob is doing great

So your proof is that the site is up and running and it is accepting new customers and they are "working on it" and you "don't need to provide any damn evidence". Thanks for the news flash, sherlock. Wow everyone can go back to their business, nothing to see here folks. Sheesh.

The hackers didn't crash the site. They downloaded a searchable database of private data. People's lives have already been affected according to investigative reports.
 
Last edited:
4
•••
I have already heard of several people losing their jobs because of this EPIK Hack. Is a class action lawsuit against this Rob Monster, or EPIK possible? Assuming this hack wasn't an inside job, which I believe it was.
 
Last edited:
0
•••
Does the carcass of Epik (and their customers) end up with Godaddy or Web.com in the end, i wonder.
 
Last edited:
1
•••
yes, but Rob has history of this. years ago he was touting a VPN that he claimed to own and had total control of and assured everyone they would be perfectly secure using his service. he was lying, it was a white label product that he was simply reselling. I called him out for it because I was worried about his users and he responded by calling me names, threatening me with court actions and even "judgement day" for simply telling the truth. He is a psychopath, he doesn't care about others. Be a man, just because he was "nice to you" doesn't mean he is a good guy. Weak, very weak you are.

Rob's TrustRatings (https://trustratings.com) also just copied the code from the huge review company TrustPilot (https://trustpilot.com), which I mentioned on NP several years ago and got me into a huge fight with him.

By the way, Epik still gets great reviews on TrustRatings: https://trustratings.com/epik.com. Strangely, nearly all reviewers have done just that one review...

I cannot condone hacking, but there is something not right about Robert Monster. And as expected, it all came crashing down.
 
Last edited:
7
•••
I have already heard of several people losing their jobs because of this EPIK Hack. Is a class action lawsuit against this Rob Monster, or EPIK possible? Assuming this hack wasn't an inside job, which I believe it was.

who lost their jobs?
 
0
•••
2
•••
Epik just released the full details of 100,000 people, many of whom are in vulnerable positions, some even life threatening.
It would be better if you kept your posts factual. Epik did not release these details. Anonymous release the details. Yes, Epik left the details vulnerable, no doubt, but they did not release them at all. It's pretty clear you have rather a vendetta against Rob. That's up to you, but your contribution to this thread might be more valuable if you'd leave some of the personal remarks about him out of this.
 
6
•••
I would be surprised if these credit card companies did not pull their services.

This appears to be such an egregious violation of pci compliance rules.

PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.

Isn't this something that many registrars do? That "save your credit card for easier future transactions"? Good thing I don't use Porkbun anymore, they force you to to have at least 1 saved and if removal is wanted, you have to contact them. Aren't almost all registrars considered as violators of this rule?
 
1
•••
Isn't this something that many registrars do? That "save your credit card for easier future transactions"? Good thing I don't use Porkbun anymore, they force you to to have at least 1 saved and if removal is wanted, you have to contact them. Aren't almost all registrars considered as violators of this rule?

Saving your credit card information is not necessarily a violation. Many websites do it.

Epik's issue is a combination of things. The info was saved in a non-secure manner, with numbers, names, expirations, cvv, billing info.

But the big issue is the storage of CVV codes. It is an absolute no-no when it comes to PCI compliance.

First of all companies are not required to use a CVV code to bill a credit card. They often use it as a security measure against fraud and because it generally results in lower transaction fees.

Many companies will require the CVV code the first time, as a security measure to mitigate risk.

However, it is absolutely not allowed to store this information, which is something Epik was apparently doing.

What are the PCI compliance rules for CVV storage?

“(3.2.2.) Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after payment processing authorization is complete.”

storage-chart.jpg
 
Last edited:
12
•••
Isn't this something that many registrars do? That "save your credit card for easier future transactions"? Good thing I don't use Porkbun anymore, they force you to to have at least 1 saved and if removal is wanted, you have to contact them. Aren't almost all registrars considered as violators of this rule?

No online platform that takes card payments serious stores it locally. At Dan for example, we store zero card information in our own database. We pass the information to Adyen and they store it as they are the experts in keeping that data safe. So having your card information stored somewhere isn't the problem but how and by whom it's stored is important to know.
 
22
•••
https://stripe.com/gb/guides/pci-compliance


Overview of PCI Data Security Standard (PCI DSS)
PCI DSS is the global security standard for all entities that store, process or transmit cardholder data and/or sensitive authentication data. PCI DSS sets a baseline level of protection for consumers and helps reduce fraud and data breaches across the entire payment ecosystem. It is applicable to any organisation that accepts or processes payment cards.

PCI DSS compliance involves 3 main things:

  1. Handling the ingress of credit card data from customers, namely, that sensitive card details are collected and transmitted securely
  2. Storing data securely, which is outlined in the 12 security domains of the PCI standard, such as encryption, ongoing monitoring, and security testing of access to card data
  3. Validating annually that the required security controls are in place, which can include forms, questionnaires, external vulnerability scanning services and 3rd party audits (see the step by step guide below for a table with the four levels of requirements)
Handling card data
Some business models do require the direct handling of sensitive credit card data when accepting payments, while others do not. Companies that do need to handle card data (e.g. accepting untokenised PANs on a payment page) may be required to meet each of the 300+ security controls in PCI DSS. Even if card data only traverses its servers for a short moment, the company would need to purchase, implement and maintain security software and hardware.

If a company does not need to handle sensitive credit card data, it shouldn’t. Third party solutions (e.g. Stripe Elements) securely accept and store the data, whisking away considerable complexity, cost and risk. Because card data never touches its servers, the company would only need to confirm 22 security controls, most of which are straightforward, such as using strong passwords.

Storing data securely
If an organisation handles or stores credit card data, it needs to define the scope of its cardholder data environment (CDE). PCI DSS defines CDE as the people, processes and technologies that store, process or transmit credit card data – or any system connected to it. Because all 300+ security requirements in PCI DSS apply to CDE, it’s important to properly segment the payment environment from the rest of the business so as to limit the scope of PCI validation. If an organisation is unable to contain the CDE scope with granular segmentation, the PCI security controls would then apply to every system, laptop and device on its corporate network. Yikes!

Annual validation
Regardless of how card data is accepted, organisations are required to complete a PCI validation form annually. The way PCI compliance is validated depends on a number of factors, which are outlined below. Here are 3 scenarios in which an organisation could be asked to show that it is PCI compliant:

  • Payment processors may request it as part of their required reporting to the payment card brands
  • Business partners may request it as a prerequisite to entering into business agreements
  • For platform businesses (those whose technology facilitates online transactions among multiple distinct sets of users), customers may request it to show their customers that they are handling data securely
The latest set of security standards, PCI DSS version 3.2.1, includes 12 main requirements with over 300 sub-requirements that mirror security best practices.


  1. Build and maintain a secure network and systems
  2. Install and maintain a firewall configuration to protect cardholder data
  3. Do not use vendor-supplied defaults for system passwords and other security parameters
    Protect cardholder data
  4. Protect stored cardholder data
  5. Encrypt transmission of cardholder data across open or public networks
    Maintain a vulnerability management programme
  6. Protect all systems against malware and regularly update anti-virus software
  7. Develop and maintain secure systems and applications
    Implement strong access control measures
  8. Restrict access to cardholder data by business need to know
  9. Identify and authenticate access to system components
  10. Restrict physical access to cardholder data
    Regularly monitor and test networks
  11. Track and monitor all access to network resources and cardholder data
  12. Regularly test security systems and processes
    Maintain an information security policy
  13. Maintain a policy that addresses information security for all personnel
To make it “easier” for new businesses to validate PCI compliance, the PCI Council has created nine different forms or Self-Assessment Questionnaires (SAQs) that are a subset of the entire PCI DSS requirement. The trick is working out which is applicable or whether it’s necessary to hire a PCI Council-approved auditor to verify that each PCI DSS security requirement has been met. In addition, the PCI Council revises the rules every three years and releases incremental updates throughout the year, adding even more dynamic complexity.
 
6
•••
There are serious penalties for PCI non-compliance

https://www.pcicomplianceguide.org/faq/#15

Q15: What are the penalties for non-compliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.
 
Last edited:
9
•••
Isn't this something that many registrars do? That "save your credit card for easier future transactions"? Good thing I don't use Porkbun anymore, they force you to to have at least 1 saved and if removal is wanted, you have to contact them. Aren't almost all registrars considered as violators of this rule?
Porkbun, they really force you to have CC on file???
I use it for years via PayPal.
 
0
•••
Isn't this something that many registrars do? That "save your credit card for easier future transactions"? Good thing I don't use Porkbun anymore, they force you to to have at least 1 saved and if removal is wanted, you have to contact them. Aren't almost all registrars considered as violators of this rule?

Porkbun, they really force you to have CC on file???
I use it for years via PayPal.

Porkbun doesn't force you to do anything. But if you choose to save your card details they do that securely (see above posts regarding saving card info). Porkbun is run by people who actually know what they're doing.

Putting Porkbun next to Epik is like putting a Tesla next to a toy car that doesn't even work properly as a toy.
 
11
•••
Back