alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[bmugford]

No new updates from Epik. It really seems like they are just going down the ignore it path.

 

[Future Sensors]

No new updates from Epik. It really seems like they are just going down the ignore it path.

No news today.

https://www.epik.com/about/news/

 

[FiniteCrystal]

And surely people following the teachings of Jesus would not want to incite hatred, or harm to others, or facilitate harm to others?

I had this thought too, I didn't want to sound preachy, but I believe Jesus would find the views of a great many of his modern followers extraordinarily distasteful.

 

[Derek Peterson]

You've provided some interesting info about Rob Monster's business practices and your dealings with him, especially in relation to Bit mitigate. I don't think you need to repeat it - a post giving a concise summary of your points would close the subject. People are entitled to their religious beliefs, but surely they need to comply with the law? And surely people following the teachings of Jesus would not want to incite hatred, or harm to others, or facilitate harm to others?

This might be a misinterpretation, but have you been implying there are people who specifically went to Epik to ensure their religious freedom, or to express their religious thoughts in a way that would avoid harsh consequences? That would be an interesting new angle on Epik customer acquisition, and possible reasons for the hack.

Again, I don't want to get too far off topic but of course the motivation for the hack was Epik's customer base. They have stated that very plainly and even said they are going to work with local authorities to help prosecute people for "hate speech".

And of course Rob intentionally marketed to people who were in jeopardy of punishment or persecution for their beliefs. "Free speech" was his marketing gimmick once he latched onto gab's coat tails and it made him a LOT of money.

Jesus was put in prison and killed for disobeying the govt. and religious authorities. The only ones inciting anyone to hatred and harming of others are those who think it is okay to put someone in jail or lose their jobs or persecute them in any way over their beliefs.

 

[FiniteCrystal]

Jesus was put in prison and killed for disobeying the govt. and religious authorities. The only ones inciting anyone to hatred and harming of others are those who think it is okay to put someone in jail or lose their jobs or persecute them in any way over their beliefs.

I know this is a hot take, but people's vile and hateful beliefs that promote stochastic terrorism having real impactful consequences is good, actually. Anti-discrimination laws protect the freedom of the people who are being discriminated against. Your right to swing your fists around in the air stops where my face begins.

Your shallow and childish take on this issue is basically, "you're the hateful one because you're intolerant of my hateful ideas"

 

[tonyk2000]

Epik Data Breach – Class Action Investigation

https://chimicles.com/epik-data-breach-class-action-investigation/

If the memory serves me right, in our industy there was a potential class action in snapnames halvarez shill bidding case, and snapnames/oversee voluntary emailed all customers offering some $$$ (calculations based on shill bidding activity). A recipent, however, had to sign (and fax to their law firm?) a promise not to join a class action lawsuit.

Epik might consider doing the same. However, it is far from obvious how to calculate a fair compensation amount in this case (with or without class action). Especially for non-customers, including California and EU residents, who had their whois records scraped by Epik.

 

[Future Sensors]

If the memory serves me right, in our industy there was a potential class action in snapnames halvarez shill bidding case, and snapnames/oversee voluntary emailed all customers offering some $$$ (calculations based on shill bidding activity). A recipent, however, had to sign (and fax to their law firm?) a promise not to join a class action lawsuit.

Epik might consider doing the same. However, it is far from obvious how to calculate a fair compensation amount in this case (with or without class action). Especially for non-customers, including California and EU residents, who had their whois records scraped by Epik.

Thanks. This class action [investigation] is only about one leak. I'm not sure if CSK&DS is aware of the second and third Epik data leak yet. In those leaks, lots more PII was leaked. These leaks have all been discussed in this thread and increase in seriousness.

 

[.X.]

I had this thought too, I didn't want to sound preachy, but I believe Jesus would find the views of a great many of his modern followers extraordinarily distasteful.

putting that in its proper perspective .. I believe that a person has every right to disagree with whatever they want .. perhaps have their personal opinion on what the fate of a person may be .. but .. God and Jesus Christ love everyone .. Gay .. Straight .. Transexual .. that doesn’t matter .. God and Jesus love everyone .. a person may disagree with ones lifestyle and life choices .. but should never hate or wish harm on anyone due to the a persons life choices .. I believe it is not for me to judge a persons eternal fate .. I have my own to worry about everyday .. I am guilty of throwing my personal feelings forward .. although I have learned and try my very best not to do so ..

I am a Christian of non denominational Christianity ..

 

[bmugford]

Epik Data Breach – Class Action Investigation

https://chimicles.com/epik-data-breach-class-action-investigation/

Chimicles Schwartz Kriner & Donaldson Smith is investigating a potential class action lawsuit related to reports that the domain registrar and web hosting company, Epik, was the victim of a recent data breach involving the personal data of 15 million Epik customers and non-customers. In an email that Epik sent to its users notifying them of the breach, it reported that the hackers obtained “payment information including credit card numbers, registered names, usernames, emails, and passwords.” As such, Epik has instructed its users to “contact any credit card companies that [they] used to transact with Epik and notify them of a potential data compromise to discuss your options with them directly.”


The California Consumer Privacy Act of 2018 (“CCPA”) requires businesses to implement and maintain reasonable security procedures and practices to protect consumers’ personal information, and is violated any time a data breach reveals a consumer’s “[a]ccount number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” Civ. Code § 1798.150(a)(1); Civ. Code § 1798.81.5(d)(1)(A).


If you have been notified—or have reason to believe—that your personal information may have been compromised, please contact the attorney(s) listed below.

Attorneys for this case:

Benjamin F. Johns
Mark B. DeSanto
Samantha E. Holbrook

About the firm:

Chimicles Schwartz Kriner & Donaldson-Smith LLP (CSK&DS) is a leading national class action law firm which specializes in prosecuting complex federal and state class action litigation throughout the nation. We seek to obtain justice for our clients, ensuring their rights are vindicated and their interests are protected. Our experienced and dedicated litigators are ready to advance the interests of clients, and the rights of consumers and shareholders, by recovering the money they have lost, and obtaining the relief to which they are entitled. To achieve the best result for our clients, we are prepared to go to trial on every case. We will not settle unless it is in our clients’ best interests to do so.​

If the memory serves me right, in our industy there was a potential class action in snapnames halvarez shill bidding case, and snapnames/oversee voluntary emailed all customers offering some $$$ (calculations based on shill bidding activity). A recipent, however, had to sign (and fax to their law firm?) a promise not to join a class action lawsuit.

Epik might consider doing the same. However, it is far from obvious how to calculate a fair compensation amount in this case (with or without class action). Especially for non-customers, including California and EU residents, who had their whois records scraped by Epik.

That also involved a very small pool of customers, just bidders in domain auctions. This data breach involves all the customers AND millions of non customers.

There are also issues here to due with the security measures (or lack of) being employed by Epik, according to virtually every expert in the field. You also have potential issues with PCI compliance when it comes to credit cards, and potential GDPR issues with the collection and storage of data, as well as much more.

It is going to be a mess to resolve.

Brad

 

[Future Sensors]

It would be helpful if someone with knowledge of this kind of class actions regarding data breaches could participate in this discussion.

 

[Derek Peterson]

If the memory serves me right, in our industy there was a potential class action in snapnames halvarez shill bidding case, and snapnames/oversee voluntary emailed all customers offering some $$$ (calculations based on shill bidding activity). A recipent, however, had to sign (and fax to their law firm?) a promise not to join a class action lawsuit.

Epik might consider doing the same. However, it is far from obvious how to calculate a fair compensation amount in this case (with or without class action). Especially for non-customers, including California and EU residents, who had their whois records scraped by Epik.

Well Rob said Epik was just recently (June) given $32,000,000 so I would suggest: $32,000,000 / 100,000 = $320/customer.

 

[oldtimer]

Well Rob said Epik was just recently (June) given $32,000,000 so I would suggest: $32,000,000 / 100,000 = $320/customer.

I don't think that it's going to be that simple,

This could trun out to become a very complex legal matter as there really hasn't been one like it before and so certain legal issues have to be determined and settled for the first time just for this case.

IMO

 

[Future Sensors]

https://twitter.com/x/status/1445081618532737040

 

[DN Playbook]

The only rational explanation for radio silence from RM/E is that they are listening to lawyers. Likely to mitigate possible class action or criminal charges. Total speculation on my part, but it seems reasonable.

When you are dealing with thousands of customers using your network and services, security is a monumental task on par with the code powering your infrastructure.

These small scale responses are bizarre. It almost sounds like RM is fighting the urge to make public statements against legal advice.

Epik Data Breach – Class Action Investigation

https://chimicles.com/epik-data-breach-class-action-investigation/

Chimicles Schwartz Kriner & Donaldson Smith is investigating a potential class action lawsuit related to reports that the domain registrar and web hosting company, Epik, was the victim of a recent data breach involving the personal data of 15 million Epik customers and non-customers. In an email that Epik sent to its users notifying them of the breach, it reported that the hackers obtained “payment information including credit card numbers, registered names, usernames, emails, and passwords.” As such, Epik has instructed its users to “contact any credit card companies that [they] used to transact with Epik and notify them of a potential data compromise to discuss your options with them directly.”


The California Consumer Privacy Act of 2018 (“CCPA”) requires businesses to implement and maintain reasonable security procedures and practices to protect consumers’ personal information, and is violated any time a data breach reveals a consumer’s “[a]ccount number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” Civ. Code § 1798.150(a)(1); Civ. Code § 1798.81.5(d)(1)(A).


If you have been notified—or have reason to believe—that your personal information may have been compromised, please contact the attorney(s) listed below.

Attorneys for this case:

Benjamin F. Johns
Mark B. DeSanto
Samantha E. Holbrook

About the firm:

Chimicles Schwartz Kriner & Donaldson-Smith LLP (CSK&DS) is a leading national class action law firm which specializes in prosecuting complex federal and state class action litigation throughout the nation. We seek to obtain justice for our clients, ensuring their rights are vindicated and their interests are protected. Our experienced and dedicated litigators are ready to advance the interests of clients, and the rights of consumers and shareholders, by recovering the money they have lost, and obtaining the relief to which they are entitled. To achieve the best result for our clients, we are prepared to go to trial on every case. We will not settle unless it is in our clients’ best interests to do so.​

Sometimes I hate being right. This could end up in the court system for months or years. Get out now. Saving $1 on transfers is not worth it.

 

[Derek Peterson]

I don't think that it's going to be that simple,

This could trun out to become a very complex legal matter as there really hasn't been one like it before and so certain legal issues have to be determined and settled for the first time just for this case.

IMO

Yeah, I know, you're right, I was just kidding around. It is going to be very complex case and if hack has spread to Epik hosting customers then it will be massively complex.

 

[Future Sensors]

https://twitter.com/x/status/1445065981567639552

 

[bmugford]

Sometimes I hate being right. This could end up in the court system for months or years. Get out now. Saving $1 on transfers is not worth it.

This is likely to be tied up in the legal process for a very long time with criminial investigations, civil courts, class actions, regulatory authorities, private company partners, etc.

Brad

 

[bmugford]

https://twitter.com/x/status/1445065981567639552

Very interesting stuff.

Brad

 

[DN Playbook]

Yeah, I know, you're right, I was just kidding around. It is going to be very complex case and if hack has spread to Epik hosting customers then it will be massively complex.

https://twitter.com/x/status/1445065981567639552

Interesting that these 2 posts followed each other in close succession. It is very likely that all customers were on the same network. Since the hackers were able to gain access through the code on the registrar side, it is quite feasible they could roam about throughout all the network. Unless parts were on separate networks, which I don't see RM/E structuring their infrastructure that way. So far we haven't seen that level of ingenuity on their part. Even so, a lot of information can be gleaned from invoices which would include all customers to their inventory of services. As well as all the financial details which would logically be stored in a single database.

 

[Future Sensors]

In retrospect, I think Rob shouldn't have done the video meeting. But it's helping researchers in every way right now.

 

[Jona4s]

internal documents also revealed the keyboard used by some top skilled engineers.

it doesn't matter what the code is doing, just upgrade it to the latest version. youll be fine.

 

[Derek Peterson]

https://twitter.com/x/status/1445081618532737040

So is this user Molly actually saying that Epik/Monster didn't have access to their own code for the last 10 years, since acquisition? So it was some kind of a lease (white label)?

 

[Molly White]

So is this user Molly actually saying that Epik/Monster didn't have access to their own code for the last 10 years, since acquisition? So it was some kind of a lease (white label)?

The screenshotted text in my tweet is from the transcript of Rob's Q&A session. The transcript is timestamped if you want to hear it from the horse's mouth. He came back to the topic a few times throughout the Q&A so I'll try to summarize: when Epik acquired the Colorado Springs-based IntrustDomains in 2011, "it came with a Russian development team". "At the time they were based in the Ukraine, or in the Crimea region. Then there were wars and then they moved to Krasnodar, and they’re based there." "The code base that the Russians were totally safeguarding, they wouldn’t give our new engineers access to the git, now we know why: the code sucked."

Epik engineers outside of that group only gained access to this 10-year-old git repository following the hack: "our top engineers mostly hadn’t seen that code because it was kind of blackboxed, behind a firewall, separate git repository, and not part of the Epik git. And that might sound surprising… considering that we’re like a registrar, but that’s basically because of the history of how that company became part of Epik. It was an acquisition, it is a captive dev team, and I’ve operated with that group to a large extent on the basis of trust. They’re good people, they’re honorable people, ethical, responsible people, but their coding methods and frameworks are not up to standard, and they’ve pretty much handed over all the keys to two top guys, Justin Tabb, David Roman."

It didn't sound to me like white labeling—Rob said they acquired the registrar code and engineering team from Intrust. But for some reason, it seems they allowed the engineering team to retain total ownership of the code, totally siloed from the rest of Epik's team.

 

[Future Sensors]

So is this user Molly actually saying that Epik/Monster didn't have access to their own code for the last 10 years, since acquisition? So it was some kind of a lease (white label)?

"This user Molly" is participating in this thread, you can ask her directly. But it's Rob himself who said things in the video meeting. As we don't know the exact contractual details re Intrust and other Epik ventures that have been acquired, we can only guess atm.

 

[Derek Peterson]

"This user Molly" is participating in this thread, you can ask her directly. But it's Rob himself who said things in the video meeting. As we don't know exact contract details re Intrust and other Epik ventures that have been acquired, we can only guess atm.

It is interesting because it would be another example of Rob basically white labeling/leasing products from others and claiming ownership.