alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[DN Playbook]

It is reasonable to expect that in any governmental or legal investigation, this thread will be used as evidence of complicity, negligence, intent, state of mind, etc. So RM and his cohorts have to be very careful what they write which may explain the lack of any real information from their side, and only a very generic statement from RM. This Joey person might have stepped into doo-doo with his comments. Ergo the edit.

 

[iAdam]

This thread is getting too complicated to follow, but for an average user it's normal.

All what i learned is that epik had a major breach, and Rob is nowhere to be found to repond to people's concerns.

God bless you all.

 

[Evil.dll]

Classic… The guy who attempted to sell 35,000 social security numbers to a Fed is suddenly the beacon of internet morality. Regale me with your tales of valor Joey Camp. It has been 45 minutes since I challenged you to a duel, sir. What are you afraid of Joey? I can assure you I am prepared for a rational debate, put that correspondence school legal secretary certificate to use. Where should we start? The Pandects, or maybe some Oliver Wendell Holmes, or maybe the United States v. Stevens? Your move, Chief!

 

[branding]

Although it is too early to declare victory, we are certainly making progress. Here is a recap of just some of the actions taken:

 Retained forensic investigation and technical security firm on a full-time basis;

 Retained data privacy and cybersecurity outside counsels to report and remediate the Incident;

 Implemented industry best practice for secure password vault;

 Worked with development teams to cycle all SSH keys multiple times and shut down other means of access to Epik systems;

 Implement bug bounty program (est. Oct 7, 2021);

 Daily coordinated work and efforts combining executive, legal, PR, and security team;

 Migrated all source code to new platform;

 Forced client password resets;

 Shut down all outside access endpoints into Epik’s systems;

 Removed all credit card information from live databases;

 Implemented an SSO where strongly encrypted passwords are not stored on Epik systems and authorization;

 Continued to expunge unnecessary personal information from systems and implement best practices;

 Explored SOC-2 Compliance options after Incident response in near-term;

 Notified clients who were impacted by the data Incident on several dates (Sept 18 and 20, 2021), secured critical systems and provided 2 years of credit monitoring to clients who had payment information included in the Incident;

 Timely notified State Attorneys General in relevant jurisdictions, where prescribed by applicable state data breach notification law;

 Worked with the FBI to help identify the threat actors and take appropriate legal action.

 

[Kirtaner]

Although it is too early to declare victory, we are certainly making progress. Here is a recap of just some of the actions taken:

 Retained forensic investigation and technical security firm on a full-time basis;

 Retained data privacy and cybersecurity outside counsels to report and remediate the Incident;

 Implemented industry best practice for secure password vault;

 Worked with development teams to cycle all SSH keys multiple times and shut down other means of access to Epik systems;

 Implement bug bounty program (est. Oct 7, 2021);

 Daily coordinated work and efforts combining executive, legal, PR, and security team;

 Migrated all source code to new platform;

 Forced client password resets;

 Shut down all outside access endpoints into Epik’s systems;

 Removed all credit card information from live databases;

 Implemented an SSO where strongly encrypted passwords are not stored on Epik systems and authorization;

 Continued to expunge unnecessary personal information from systems and implement best practices;

 Explored SOC-2 Compliance options after Incident response in near-term;

 Notified clients who were impacted by the data Incident on several dates (Sept 18 and 20, 2021), secured critical systems and provided 2 years of credit monitoring to clients who had payment information included in the Incident;

 Timely notified State Attorneys General in relevant jurisdictions, where prescribed by applicable state data breach notification law;

 Worked with the FBI to help identify the threat actors and take appropriate legal action.

Given what I'm actively watching on Twitter, most of this post has to be a complete lie.

Also, will point out, Rob didn't think this community was worth giving this update to.

 

[Kirtaner]

It's not hard to see her post full of drama, together with this hacker Kirt, I don't think they are in a position to give us advice what Epik should do, I know very good their plan but they will not succeed.
This people come here and pretend to be good and offer solutions hahaha, don't make me laugh, the one who ordered the hack + the hacker offer advices. :D
You should be both in prison, but no wait Kirt is protected by his govt, wonder how much they pay you to hack companies per their orders.

Still waiting for 15 years of CIA backpay

 

[bmugford]

Although it is too early to declare victory, we are certainly making progress. Here is a recap of just some of the actions taken:

 Retained forensic investigation and technical security firm on a full-time basis;

 Retained data privacy and cybersecurity outside counsels to report and remediate the Incident;

 Implemented industry best practice for secure password vault;

 Worked with development teams to cycle all SSH keys multiple times and shut down other means of access to Epik systems;

 Implement bug bounty program (est. Oct 7, 2021);

 Daily coordinated work and efforts combining executive, legal, PR, and security team;

 Migrated all source code to new platform;

 Forced client password resets;

 Shut down all outside access endpoints into Epik’s systems;

 Removed all credit card information from live databases;

 Implemented an SSO where strongly encrypted passwords are not stored on Epik systems and authorization;

 Continued to expunge unnecessary personal information from systems and implement best practices;

 Explored SOC-2 Compliance options after Incident response in near-term;

 Notified clients who were impacted by the data Incident on several dates (Sept 18 and 20, 2021), secured critical systems and provided 2 years of credit monitoring to clients who had payment information included in the Incident;

 Timely notified State Attorneys General in relevant jurisdictions, where prescribed by applicable state data breach notification law;

 Worked with the FBI to help identify the threat actors and take appropriate legal action.

Kind of an odd opening here...

Although it is too early to declare victory, we are certainly making progress.

Like, you just got hacked in an almost unprecedented level data breach that exposed just how poorly you stored and secured customer data. They even took bootable server images.

It is bizarro world to even bring up the word "victory" at the moment. I would love to know what "victory" actually looks like.

It also comes down to what you can trust.

I am sorry, but after what Epik said in the past about security, and the security practices that this data breach exposed, I am highly skeptical of just believing what is said.

Brad

 

[NickB]

This thread has become toxic.......

Have been popping in very occasionally for a catch up read, but will not be doing so from now on........

 

[bmugford]

Although it is too early to declare victory, we are certainly making progress. Here is a recap of just some of the actions taken:

 Retained forensic investigation and technical security firm on a full-time basis;

 Retained data privacy and cybersecurity outside counsels to report and remediate the Incident;

 Implemented industry best practice for secure password vault;

 Worked with development teams to cycle all SSH keys multiple times and shut down other means of access to Epik systems;

 Implement bug bounty program (est. Oct 7, 2021);

 Daily coordinated work and efforts combining executive, legal, PR, and security team;

 Migrated all source code to new platform;

 Forced client password resets;

 Shut down all outside access endpoints into Epik’s systems;

 Removed all credit card information from live databases;

 Implemented an SSO where strongly encrypted passwords are not stored on Epik systems and authorization;

 Continued to expunge unnecessary personal information from systems and implement best practices;

 Explored SOC-2 Compliance options after Incident response in near-term;

 Notified clients who were impacted by the data Incident on several dates (Sept 18 and 20, 2021), secured critical systems and provided 2 years of credit monitoring to clients who had payment information included in the Incident;

 Timely notified State Attorneys General in relevant jurisdictions, where prescribed by applicable state data breach notification law;

 Worked with the FBI to help identify the threat actors and take appropriate legal action.

Also, looks like Rob is talking shit about NamePros on the other forum.

First he talks about a "struggle session" which he defines as -

The struggle session was famously used by the Chinese Communist Party to achieve alignment and consensus. It served to root out any remnant of dissent or misaligned thinking before more Draconian measures were introduced.

From there he goes on -

As some here will recognize, I have witnessed a struggle session in operation over the last month at NamePros. If you missed it, you can sample that here:

I believe the dynamic is toxic in its drive to conformity. Ironically it was a primary reason for Epik to acquire (Other forum name). I did not expect it to get this severe, but I guess we were prescient in that acquisition. I have great hope for (Other forum name) and believe others will discover why in time.

Although I am not a moderator and have no intention of becoming one, as the owner of (Other forum name), Epik will absolutely encourage open dialog in the hope that more discussion is better. In promoting dialog, the silent majority should never have to live in fear of the apparatchiks. Independent thought should be welcome and encouraged here.

As for the folks who prefer to be part of the hive mind, they might feel more at home elsewhere. Nevertheless, they should still feel welcome to sample the engagement of free thinkers.

 

[bmugford]

Then Rob gets called out by a poster on his forum who says -

I believe that thread is active because you don't address specific issues brought up. It seems you want to skirt around them bringing in religion and posts like these. Some of the emails the owner Paul posted from seems you're not so ok with open dialogue, and they come across as beware what you post.

In other posts here you talk about unity among the industry, when literally on your site you have pages going against competitors like GoDaddy.

I received yet another email from you today about password reset.

I'm more concerned about what you're doing to secure the site. What about the "shitty code" your words the site is built on. Has that been fixed yet?

and

Just saw your post in the other thread. Why not post that at Namepros and send an email letting customers know what is being done. That's what we've been asking for.

 

[Kirtaner]

Then Rob gets called out by a poster on his forum who says -

I believe that thread is active because you don't address specific issues brought up. It seems you want to skirt around them bringing in religion and posts like these. Some of the emails the owner Paul posted from seems you're not so ok with open dialogue, and they come across as beware what you post.

In other posts here you talk about unity among the industry, when literally on your site you have pages going against competitors like GoDaddy.

I received yet another email from you today about password reset.

I'm more concerned about what you're doing to secure the site. What about the "shitty code" your words the site is built on. Has that been fixed yet?

and

Just saw your post in the other thread. Why not post that at Namepros and send an email letting customers know what is being done. That's what we've been asking for.

It's rich that he dunks on GoDaddy considering their reseller account credentials were reportedly in the first dump.

 

[tonyk2000]

OK, let me guess.

Some future events (12/24):

*begin*

Many new members joined NamePros for the purposes of participating in this thread. None of them are domainers. They are still discussing the stuff on 200th page. Most domainers "unwatched" the thread already. Derek was the most enduring member, but even he stopped posting in November. Rob stepped in, offering $6.49 Christmas domain transfer promo. Nobody seemed to care. The hackers announced 7th leak with a few terabytes of Epik data. Nobody seemed to care. This thread itself was moved to The Break Room (little or no moderation).

*end*

Just a satire, don't take it too seriously

 

[Jona4s]

From the post, seems nothing has been done nor will ever be done to rebuild the codebase.

The code is vulnerable because their "system" is just a bunch of PHP scripts, there's nothing proprietary, nothing engineered and you can't do proper static analysis of interpreted code.

"Shuting down access to endpoints" doesn't solve security when the target is an internet-facing service.

Maybe endusers buy into that response, but experts are without a doubt baffled.

 

[Kirtaner]

From the post, seems nothing has been done nor will ever be done to rebuild the codebase.

The code is vulnerable because their "system" is just a bunch of PHP scripts, there's nothing proprietary, nothing engineered and you can't do proper static analysis of interpreted code.

"Shuting down access to endpoints" doesn't solve security when the target is an internet-facing service.

Maybe endusers buy into that response, but experts are without a doubt baffled.

The more they deny and downplay, the more the knife will end up being twisted.

I suggested to study a particular hack from 2011 for a reason.

It escalated to the point of leaking personal emails.

 

[Kirtaner]

it just dawned on me; Rob Monster lied about already having a bug bounty program during the prayer meeting. That latest update states they launched such a program on Oct 7.

Lies. Constant lies.

 

[Kirtaner]

Epik Fail is now penetrating the cryptocurrency news cycle.

It's never-ending.

https://www.washingtonpost.com/technology/2021/10/08/cryptocurrency-scam-websites/

 

[Future Sensors]

Epik Fail is now penetrating the cryptocurrency news cycle.

Thanks for the link. Epik's digital currency Masterbucks has been in the news before at the time of PayPal's termination of service to Epik.

https://mashable.com/article/epik-domain-names-paypal-proud-boys

 

[has2hands]

https://www.washingtonpost.com/technology/2021/10/08/cryptocurrency-scam-websites/

"Wwwblockchain.com isn’t a typo. Nor is hlockchain.com or blpckchain.com.

Those sites are set up to dupe Internet users trying to reach Blockchain.com, a website that lets users buy and sell cryptocurrency.

And there’s big money in little typos. A man in Brazil paid more than $200,000 worth of bitcoin between last November and February for those and other typo Web addresses, according to sales records leaked after a hack of Epik, an Internet services company favored by the far-right. He also purchased conibase.com for more than $16,000, meant to mimic Coinbase, another cryptocurrency exchange.

“The price that this person paid blows me away,” said Zack Allen, an expert at cybersecurity company ZeroFox.


The high price paid for the Web addresses, sometimes called domains, indicates someone thinks they’ll make a substantial profit. Domains ending in dot-com cost around $10 per year and scammers often rely on ones that are even cheaper...."

But last month, Coinbase announced 6,000 of its customers had their cryptocurrency stolen through a phishing attack, in which fake log-in pages are used to steal passwords. The attack took advantage of a “flaw” in Coinbase’s two-factor authentication security system, the company said. Coinbase said it reimbursed the customers, though it didn’t say how much was lost. There’s no known link between that attack on Coinbase’s customers and conibase.com.

The man with a Brazilian address who bought the domains between November and February didn’t respond to requests for comment from The Washington Post sent in English and Portuguese via email and WhatsApp. It’s not clear if he still controls the domain names or has sold them to others.

But the bulk of Epik’s business appears not to have been the far-right, but rather domain investors. Legitimate domain investors buy domain names — often for around $10 for dot-com Web addresses, sometimes less for other suffixes — and then flip them to someone who wants to use them. Sometimes short or particularly memorable Web addresses can sell for huge sums, like HealthInsurance.com, which sold for more than $8 million dollars in 2019 to a company that markets health insurance plans. Short domain names often sell for thousands. Companies often buy up mistyped versions of their real Web addresses to protect against attacks like these, said Allen, whose firm ZeroFox offers to assist companies in finding and buying typo domains on their behalf.

An Epik spokesperson, replying from a generic email account, told The Post that “typodomains are a common tier of domains in the trading community.”


When investors sell domains — whether to cybercriminals or legitimate companies — they often use an escrow service to ensure that neither the buyer nor the seller is defrauding each other. Epik offered one such service, alongside its role as a domain registrar, selling the right to use a particular Web address.

According to records released in the hack, Epik served as an escrow agent for hundreds of transactions, including many legitimate ones. Epik appears to have charged a 2.5 percent fee for its escrow services — meaning it earned about $5,000 from the sale of the false cryptocurrency exchange Web addresses. The Post confirmed the authenticity of the records by checking with American purchasers of legitimate domains that the private details of the transactions shown in the leaked records were correct.

 

[Kirtaner]

Epik knowingly facilitates crime.

 

[oldtimer]

I wrote this almost a year ago:

"At this time my recommendation to Epik is to change their financial models so that they can be in good standing with all the laws and rules that their business associates such as Paypal and Godaddy expect them to abide with and as such I expect Epik to be given a chance for redemption before it is permanently cut of by Godaddy and Paypal."

GoDaddy terminating fast transfer inclusions over Afternic for any of Epik’s customers

 

[NicTraders]

it just dawned on me; Rob Monster lied about already having a bug bounty program during the prayer meeting. That latest update states they launched such a program on Oct 7.

Lies. Constant lies.

They have certainly had a bug bounty of sorts, at times, though I highly doubt it was formalised in any manner. I remember times on this forum where people commented that they received a bounty. But from memory, it generally related to one of the Labs projects which was usually undergoing fast development, and bugs were not particularly uncommon. Rob seems to like a bit of a crowd-sourced approach to developing some of his projects. It's not my style, though I can see the merit for it to some extent, especially when said 'crowd' is a bunch of domainers who are indeed his customers.

 

[FernandoBMS]

They have certainly had a bug bounty of sorts

"High Fidelity: You have a bug bounty program?

Monster: We do!

Jackson: Where?

Monster: So right now it’s just an email, but we also are… bugs @ epik.com But what we are also doing, we actually have a software team… We have a cybersecurity team, believe it or not.

Unidentified SC3:02:39: You should fire them."

 

[Future Sensors]

"High Fidelity: You have a bug bounty program?

Monster: We do!

Jackson: Where?

Monster: So right now it’s just an email, but we also are… bugs @ epik.com But what we are also doing, we actually have a software team… We have a cybersecurity team, believe it or not.

Unidentified SC3:02:39: You should fire them."

Several people have already indicated that they had reported security bugs to Rob personally. The problem is that he didn't act upon these reports.

 

[Future Sensors]

Security shouldn't be an afterthought, it has to be part of your company DNA, including the Boardroom.

As soon as Epik feels confident about their code, it's highly recommended to list the company on https://www.hackerone.com/

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. It was one of the first companies, along with Synack and Bugcrowd, to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind.

HackerOne was created by the Dutch, something that Rob will certainly appreciate as an extra bonus.

 

[Rob Monster]

it just dawned on me; Rob Monster lied about already having a bug bounty program during the prayer meeting. That latest update states they launched such a program on Oct 7.

Lies. Constant lies.

As others will have pointed out, our bug bounty program was informal through email and our ticketing system. We absolutely did and do pay out many bug bounties over the years to ethical hackers.

As of earlier this year, we have been incubating a proprietary bug reporting system. It is not ready yet but we think it is mission critical enough to self-host it.

In the end, we went with a commercial solution since we would rather have hackers choose an ethical path, and we realize that their skills and time have value.

HackerOne is one we did consider for our formal bug bounty platform, but since they never replied to our inquiries, why we went with BugCrowd.

As for the mystery of the $444 deposited to your GoFundMe page, as I guess that mystery is unsolved for you despite the bread crumbs, here is a clue for what that was about.

https://twitter.com/x/status/1445391867361771533

And, yes, I still have faith in you.