alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Windoms]

And, in their minds they are already "exposed" so why bother moving. Most of them won't even care or blame Epic at all. In fact, it might end up being used as marketing. eg. The gab hack and all the "nazi" and "fascist" accusations helped gab raise millions.

Have some rest Derek, its over.

Look, you are famous

 

[Future Sensors]

https://www.theregister.com/AMP/2021/09/30/anonymous_second_epik_dump/

 

[Jona4s]

I'm going on the commentary from Twitter and elsewhere. The ID documents are a major problem (among a lot). Multiple servers are exposed and it is possible that the ID documents could be there unless they've been deleted from the leak. The one thing that has slowed down analysis and dissemination of the first leak is a lack of domain industry knowledge.Not only do those doing the analysis have to understand the structure of Epik's databases and data, (some very good analysis has been posted on Twitter about this) they have to understand how it is used and the purposes for which it is used. Reverse-engineering is more difficult than ordinary engineering because it is necessary to work out why some decisions were made and what they are intended to achieve.

For a registrar, it is a very serious problem. That Domaintools link above should be accurate on the changes. Some portfolio operators may be the first to move.

Regards...jmcc

Also MaxMind is not going to be happy, as their reasons for flagging card risk have been exposed in plain text in the sql.

Many people now know how to avoid being flagged or have a low score.

 

[jmcc]

@ https://www.registrarowl.com/Epik
@ https://dailychanges.domaintools.com/

Registrarowl uses the ICANN registry reports and the latest reports ( https://www.icann.org/resources/pages/registry-reports ) are for May 2021. The impact won't be seen in those registry reports until the reports that will be published in January to April 2022. Domaintools is using the daily zone files to calculate those stats. The main reason for the difference between the zone counts and the ICANN registrar counts for a registrar is because a percentage of domain names are not hosted on the registrar's nameservers and are hosted on those of resellers. (The gTLD reseller market is about 24% globally.) Domaintools more of a real-time view of things. It may take a few weeks for some of the larger portfolio operators to move their domain names off Epik if they are going to do so but a lot of them will be using Epik's sales and parking service so it would be a more complex move.

Regards...jmcc

 

[jmcc]

can anyone explain to me how epik is still up and running after all of this ? i mean there is no security measure you can take at this point other than start from scratch

It has to remain running. If it shuts down, people cannot move domain names out of and into Epik. If it shuts down, people panic. When people panic, they all try to move their domain names.

Regards...jmcc

 

[tonyk2000]

It has to remain running

Epik should have arranged 3rd party registrar "hosted platform" solution after the original breach. What else?
Such as -
OpenSRS HRS:
https://opensrs.com/services/hosted-registrar-services/
Directi Logicboxes:
https://www.logicboxes.com/registrar-automation-program/

Will they do this now? And, if so, would the 3rd party platform accept them? Who knows. Too late I guess...

 

[jmcc]

Epik should have arranged 3rd party registrar "hosted platform" solution after the original breach. What else?
Such as -
OpenSRS HRS:
https://opensrs.com/services/hosted-registrar-services/
Directi Logicboxes:
https://www.logicboxes.com/registrar-automation-program/

Will they do this now? And, if so, would the 3rd party platform accept them? Who knows. Too late I guess...

It is a mess and changing the registrar of record on a lot of domain names would be noticed. It would also create a nightmare in accounting due to Epik currently having ICANN wholesale pricing. Right now, it has to create the image that it is business as usual.

Regards...jmcc

 

[Kenny]

It is a mess and changing the registrar of record on a lot of domain names would be noticed. It would also create a nightmare in accounting due to Epik currently having ICANN wholesale pricing. Right now, it has to create the image that it is business as usual.

Regards...jmcc

RegFly anyone?

Peace,
Kenny

 

[tonyk2000]

It is a mess and changing the registrar of record on a lot of domain names would be noticed. It would also create a nightmare in accounting due to the Epik currently having ICANN wholesale pricing. Right now, it has to create the image that it is business as usual.

Above solutions are for accedited registrars who are unable or unwilling to maintain their own infrastructure.
r4l.com (regiser4less) registrar is using OpenHRS for example. A bunch of Indian registrars are using Logicboxes. No registrar changes, the same ICANN accreditation.

 

[jmcc]

RegFly anyone?

Peace,
Kenny

Worse, Kenny,
RegFly collapsed itself but the signs were there for a long time and very little was done about it. ICANN finally got around to dealing with RegFly. It acted very quickly (by ICANN standards) with Alpnames after its website disappeared.Epik's problems are down to poor security rather than business.

Regards...jmcc

 

[jmcc]

Above solutions are for accedited registrars who are unable or unwilling to maintain their own infrastructure.
r4l.com (regiser4less) registrar is using OpenHRS for example. A bunch of Indian registrars are using Logicboxes. No registrar changes, the same ICANN accreditation.

There was an OpenSRS table in the first leak, I think. It may have been in the Intrust tables. If the current leak is comprehensive then the ICANN registrar data may be on those servers. If it is not outsourcing already, then outsourcing now would be adding another layer of problems.

Regards...jmcc

 

[tonyk2000]

If it is not outsourcing already, then outsourcing now would be adding another layer of problems.

Very true. And, it is unlikely that either Directi (who they are owned by now?) or Opensrs would be willing to accept such a risk, as a matter of fact (be DDOSed, hacking attempts etc. - the whole infrastructure). They might a few weeks ago. But now? In any case, Epik made a decision not to shut their servers down. Good or bad decision? Technically, bad. Legally - they indeed could not shut everything down (ICANN compliance, operational whois, 5 days max. to provide authcodes etc). Just imo.

 

[Jurgen Wolf]

Directi was sold to Endurance many years ago.

 

[noneisnone]

It has to remain running. If it shuts down, people cannot move domain names out of and into Epik. If it shuts down, people panic. When people panic, they all try to move their domain names.

Regards...jmcc

that makes sense thank you broski but shouldn't they shut down any new purchases until this whole thing is sorted ? it seems wrong to keep everything the same least you can do is leave a login portal for your already customers to transfer domains and no new purchases until you rebuild

 

[Future Sensors]

it seems wrong to keep everything the same least you can do is leave a login portal for your already customers to transfer domains and no new purchases until you rebuild

This is Epik's decision. They're still saying that they've been chosen as best registrar of the world by this forum. At a given moment, you have to adjust what you communicate on your homepage. But whoami.

 

[noneisnone]

@Future Sensors do you think new users of epik might get effected by this hack ?

 

[Future Sensors]

@Future Sensors do you think new users of epik might get effected by this hack ?

Yes, I do. With all that has been published, it's clear [to me] that there will be a long way to restore technical and customer trust.

 

[tonyk2000]

The impact won't be seen in those registry reports until the reports that will be published in January to April 2022.

Alternatively, the hackers may possibly provide an updated db or server leak showing actual current number of domains registered / managed, in a week or so.... Black humor, sorry.

 

[jmcc]

that makes sense thank you broski but shouldn't they shut down any new purchases until this whole thing is sorted ? it seems wrong to keep everything the same least you can do is leave a login portal for your already customers to transfer domains and no new purchases until you rebuild

Epik has to present the image of business as usual if it doesn't want to lose more customers. It is in a very nasty situation.

Regards...jmcc

 

[jmcc]

Alternatively, the hackers may possibly provide an updated db or server leak showing actual current number of domains registered / managed, in a week or so.... Black humor, sorry.

Funny though. It brings up a question on the new leaks: are they from the same time period as the first one?

Regards...jmcc

 

[Paul]

I've only taken a quick glance at the data so far, but here's some preliminary information:

The leak contains disk images from five different servers. This would be similar to if someone physically removed the drive from each server and cloned it in its entirety.

The five servers have the following hostnames, which is likely an indication of their origin and purpose. These were copied directly; any misspellings are in the original data.

1. whmcs.cloudmin.wecandevelopit.com
2. noshow.cloudmin.wecandevelopit.com
3. registrar-staging.cloudmin.wecandevelopit.com
4. remotecolnsole.cloudmin.wecandevelopit.com
5. spynamesparser.cloudmin.wecandevelopit.com

Most of the images appear to have been taken in June, 2020, with the exception of noshow, which was taken in December, 2019. That makes this data older than that in the first leak. There's a good chance these were deliberate backups made by Epik.

 

[Future Sensors]

I've only taken a quick glance at the data so far, but here's some preliminary information:

The leak contains disk images from five different servers. This would be similar to if someone physically removed the drive from each server and cloned it in its entirety.

The five servers have the following hostnames, which is likely an indication of their origin and purpose. These were copied directly; any misspellings are in the original data.

1. whmcs.cloudmin.wecandevelopit.com
2. noshow.cloudmin.wecandevelopit.com
3. registrar-staging.cloudmin.wecandevelopit.com
4. remotecolnsole.cloudmin.wecandevelopit.com
5. spynamesparser.cloudmin.wecandevelopit.com

Most of the images appear to have been taken in June, 2020, with the exception of noshow, which was taken in December, 2019. That makes this data older than that in the first leak. There's a good chance these were deliberate backups made by Epik.

Thanks. I like the name, https://wecandevelopit.com/

Apparently outsourced.

 

[tonyk2000]

spynamesparser

What a good name.

A footer of Epik own whois:

All registrar data, including registrant WHOIS data, is provided for public, non-commerical use only. Any information made available by Epik Inc and its affiliate registrars shall not be collected, distributed or used for any commercial activity. Third parties to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts.

(Partial) footer of GoDaddy whois:

This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar.

 

[Paul]

What a good name.

It appears to be for http://spy-names.com/.

 

[Windoms]

I've only taken a quick glance at the data so far, but here's some preliminary information:

The leak contains disk images from five different servers. This would be similar to if someone physically removed the drive from each server and cloned it in its entirety.

The five servers have the following hostnames, which is likely an indication of their origin and purpose. These were copied directly; any misspellings are in the original data.

1. whmcs.cloudmin.wecandevelopit.com
2. noshow.cloudmin.wecandevelopit.com
3. registrar-staging.cloudmin.wecandevelopit.com
4. remotecolnsole.cloudmin.wecandevelopit.com
5. spynamesparser.cloudmin.wecandevelopit.com

Most of the images appear to have been taken in June, 2020, with the exception of noshow, which was taken in December, 2019. That makes this data older than that in the first leak. There's a good chance these were deliberate backups made by Epik.

Just want to clarify something. Im no tech guy.
After the first breach, epik claimed it was a backup or something.
Then anonymous modified a page in the faq/knowledge base section, showing they were still deep within epik's system.
Is that correct?
@Paul @Kirtaner