IT.COM

alert Epik Had A Major Breach

NameSilo
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
When I hear all of these stories trying to make him sound like a literal monster, I feel really bad because the guy has been nothing but great to me. Other than my personal experience I have no other knowledge or history with him

I absolutely believe that the people who belong to his inner circle (in any case, if you are a customer of the company) benefit from his generosity. Glad he was able to assist you.
 
1
•••
Will check with HackerOne why they didn't respond to the inquiries.
 
Last edited:
3
•••
So the money is present, but not for security bounties
I see your point but I don't necessarily agree with your assessment. It's kind of apples and oranges. I was facing jail and I've got a disabled teen daughter. And I'm her only provider and sole guardian. Don't know if you see the difference but that's as deep as I'm going to get into it.

Things are getting better in my life and in my daughter's life and I have a huge debit gratitude to pay Rob Monster
 
Last edited:
8
•••
I see your point but I don't necessarily agree with your assessment. It's kind of apples and oranges. I was facing jail and I've got a disabled daughter. Don't know if you see the difference but that's as deep as I'm going to get into it

Wish you strength. And yes, I see the difference. And respond to both sides accordingly.
 
3
•••
Sorry your experience is the opposite of mine. When I told Rob of some problems I was having he lent me thousands of dollars and gave me a year to pay him back with zero interest. Because of him I was able to get out of a huge bind. Sorry this has nothing to do with the hack but neither did your comment.

Since I have paid him back he never attempted to leverage anything against me. In fact he even reached out to some high-dollar end users to help me close some deals. He never asked for anything in addition to his normal marketplace commission.

When I hear all of these stories trying to make him sound like a literal monster, I feel really bad because the guy has been nothing but great to me. Other than my personal experience I have no other knowledge or history with him

I see your point but I don't necessarily agree with your assessment. It's kind of apples and oranges. I was facing jail and I've got a disabled daughter. Don't know if you see the difference but that's as deep as I'm going to get into it

That's cool, but at the end of the day Rob is the CEO, sole board member, and majority shareholder of a company. He has a responsibility to customers (and others) to protect their data.

In this case Epik failed. There is no way to sugar coat it. No amount of personal generosity will change that.

The security protocols and protections that were being employed were far below industry standards acording to cybersecurity and IT experts. This includes things like passwords and login information being stored in plain text, storing CC and CVV codes, and much more.

Epik either knew about these security issues ahead of time and ignored them or did not know. Neither option is better than the other and requires incompetence IMO in leadership and/or technical ability.

When you build on "shitty Russian code" what do you expect?

Thousands of customers and millions of others are forced to deal with the fallout from this (easily foreseeable) failure.

Brad
 
Last edited:
8
•••
That's cool, but...
see this is why I don't like to get involved in this thread. It's haywire.

Some just look for an excuse to twist what is said into yet another same old post they've already droned on and on about repeatedly throughout this topic. On and on it goes. Nothing new just the same old mantra repeated ad nauseam.

I was just trying to defend Rob against Derek's accusation that RM has an MO of taking advantage of people and leveraging his power over them. That just wasn't my experience that's all.

All the rest about his responsibilities has been repeated Non-Stop and I'm sorry that I inadvertently caused yet another post repeating the same thing over and over and over and over. Back to the shadows
 
Last edited:
5
•••
see this is why I don't like to get involved in this thread. It's haywire.

Everyone looks for an excuse to twist what is said into yet another ad nauseam repetition of their mantra.

I was just trying to defend Rob against Derek's accusation that RM has an MO of taking advantage of people and leveraging his power over them. That just wasn't my experience that's all.

All the rest about his responsibilities has been repeated Non-Stop and I'm sorry that I inadvertently caused yet another post repeating the same thing over and over. Back to the shadows

You are basically a character witness for Rob, which is fine.

A lot of people donate money, time, resources to charitable causes. You can also competently run a company at the same time. It is not an either/or zero sum game.

I am glad Rob helped you, but the real story is the data breach itself.

Brad
 
Last edited:
6
•••
I am glad Rob helped you, but at the end of the day the real story is the data breach itself.
Yes it was not an invitation for you to go on and on droning your mantra ad nauseam. I think you got that point across about 50 times by now since you've posted the same thing over and over.

If you bothered to read my post replying to Derek I said that this had nothing to do with the hack but that neither did his I was just defending the latest as-usual off topic slanderous comment that Derek was making.
 
Last edited:
2
•••
Yes it was not an invitation for you to go on and on droning your mantra ad nauseam. I think you got that point across about 50 times by now since you've posted the same thing over and over.

If you bothered to read my post replying to Derek I said that this had nothing to do with the hack but that neither did his I was just defending the as-usual off topic slanderous comment that Derek was making.


great you talked about your personal experience with RM
thank you
nobody is evil all the time

but did you notice there was a severe incident at
Epik "Lords own" domain registrar?

how do feel about Epik? not RM.
 
5
•••
Yes it was not an invitation for you to go on and on droning your mantra ad nauseam. I think you got that point across about 50 times by now since you've posted the same thing over and over.

If you bothered to read my post replying to Derek I said that this had nothing to do with the hack but that neither did his I was just defending the as-usual off topic slanderous comment that Derek was making.

Well, you posted on a public forum. I don't need an invitation to make a post that is on topic to this thread.

Good points stay good no matter how many times you make them.

I will keep making the exact same valid points until they are satisfactorily addressed.

Brad
 
Last edited:
1
•••
You only were able to repeat your mantra by connecting it to my post which had nothing to do with your mantra. But since you have made yourself the official spokesman judge and jury of this thread I'll leave you to it. Enjoy ..all I know is I am less likely to post knowing that some narcissist is about to follow me and change the meaning of what I said because they have such a big ego they need to stroke.

By the way yes it gets old ...I'm not so stupid I need your opinion beat into the side of my head Non-Stop. Why don't you try to find a new schtick? It would be nice to come here and see something new

I guess I don't really care about Rob's charitable causes, like donating $444 to Kirtaner then taking public credit for it in this thread. That seemed transparent.

I care about Rob, the CEO of a domain company that has made a mockery of the domain world with their actions and refusal to address the valid concerns of the victims of the data breach or take any real accountability for how they got into that position in the first place.

Brad
 
Last edited:
6
•••
This thread. It's haywire.

I think we can all agree that this is a unique thread, with so many knowledgeable stakeholders participating. If you pay close attention, there is a lot to learn from all parties, including from our new members in this thread. Even if they're rude, I sometimes don't appreciate the tone either. Even if you do not immediately agree with their ideas and experience, or when they make it difficult by asking for more clarity repeatedly, it can be useful. Because it's needed, and because for years this has become the permanent home of the CEO to promote his company. A lot of very substantive, sometimes highly technical, suggestions have been made that are, or should be, really useful to Epik. Moreover, this thread has the most links to publications about the incident, if we don't count Twitter.
 
Last edited:
7
•••
Sorry your experience is the opposite of mine. When I told Rob of some problems I was having he lent me thousands of dollars and gave me a year to pay him back with zero interest. Because of him I was able to get out of a huge bind. Sorry this has nothing to do with the hack but neither did your comment.

Since I have paid him back he never attempted to leverage anything against me. In fact he even reached out to some high-dollar end users to help me close some deals. He never asked for anything in addition to his normal marketplace commission.

When I hear all of these stories trying to make him sound like a literal monster, I feel really bad because the guy has been nothing but great to me. Other than my personal experience I have no other knowledge or history with him

Thank you for proving my point. He found a desperate person, gave them loan, probably collateralized with domains so no risk, got his money back and now has "friend". That sounds like a typical Monster deal.
 
0
•••
see this is why I don't like to get involved in this thread. It's haywire.

Some just look for an excuse to twist what is said into yet another same old post they've already droned on and on about repeatedly throughout this topic. On and on it goes. Nothing new just the same old mantra repeated ad nauseam.

I was just trying to defend Rob against Derek's accusation that RM has an MO of taking advantage of people and leveraging his power over them. That just wasn't my experience that's all.

All the rest about his responsibilities has been repeated Non-Stop and I'm sorry that I inadvertently caused yet another post repeating the same thing over and over and over and over. Back to the shadows

All I know is what I have experienced and heard from others who experienced Monster. Many here have also known Monster for many years and they have opinions contrary to yours, not just me. Perhaps you should think of others.

Yes it was not an invitation for you to go on and on droning your mantra ad nauseam. I think you got that point across about 50 times by now since you've posted the same thing over and over.

If you bothered to read my post replying to Derek I said that this had nothing to do with the hack but that neither did his I was just defending the latest as-usual off topic slanderous comment that Derek was making.

I have not said one thing that is untrue. Please show me one thing I have said that is untrue or retract your accusation of slander, which, by the way, is actually slander. You should also know that many people have accused Monster of many things here and asked him many questions but he has not responded or even tried to defend one of them. You wanna know why? Because they are true.

"Slander is a legal term used to describe defamation or the act of harming a person or business's reputation by telling one or more people something that is untrue and damaging about them."

Ironically, Monster has "slandered" me many times to many people, including publicly on this very website, and privately to the owners of this website and others.
 
0
•••
I think no one here hate RM as a person but no one like the way he's running the company as an CEO.
He is not even to keep the IT standard which caused the breach and explored thousand of customer data here.
He made a couple of posts here but all the content of the posts are either spamming or tell people how good a Christian he is and offering prays and hugs?
He did not say anything about how he will step up to fix the security problems.
If you can go to Church every Sunday but the other 6 days you messed up people life then you are a man with two faces. What do you pray in Church?
 
Last edited:
7
•••
5
•••
3
•••
how do feel about Epik? not RM
well for me, I became involved with epik because of their name pros pricing and I fell in love with their detailed analytics and marketplace flexibility. Then I came to know Rob so I like them both and I'm very disappointed in the obvious shortcomings exposed by the hack. I just really hope that we could get behind them to help them bounce back because I really think they're a good force in our industry. Even Google is being destroyed by hackers. And I'm not some blind loyal fool. I'm not happy that there have been attempts to access my venmo and my Best buy accounts lately. I don't know where that's come from as far as I know it could be from Google too
 
2
•••
According to Rob Monster in the Q&A Epik's engineers dindn't have access to this Git repository analysed by Micah Flee.

"Monster, YT1:34:19: Yeah, no absolutely. So Romans 8:28 says that all things work together for the good of those who love God, that are called according to His purpose. I believe all lemons are for lemonade. And I gotta tell you guys, yesterday was the hardest day of my life. Some of you wouldn’t know that, most of you wouldn’t know that, but I was actually at the closest I ever got to being broke. And it was a very hard day because so many things came at me from all different sides. You haven’t really lived, like I’ve walked through the fire right? For the last three years I’ve walked through the fire. And you can walk through the fire and it doesn’t burn you, that’s what i’ve learned. But there’s like a different level of fire when you have freaking Anonymous light your ass up. It’s on another level. And I have to tell you that yesterday totally took me to the threshold where I’m like “wow how much can I take?” So anyway, it all worked out though. It was a hundred thousand dollar critical hack, we plugged that gap, we didn’t lose any domains, thank God and [unintelligible] Yeah, we didn’t lose any domains and we actually gained more domains than we lost yesterday, that was a freaking miracle, but praise God. And then today too, I think we’ve probably gained more domains than we lost. Some of the people in media, they were not kind to us, but I absolutely think you’re right, Greg. It didn’t kill us, it’s gonna make us stronger. The code base that the Russians were totally safeguarding, they wouldn’t give our new engineers access to the git, now we know why: the code sucked. And ironically now we have them all
(...)
Monster, YT0:35:56: [reading chat. Full comment from “JP”: “I’m upset at the security incident at Epik, but my anger isn’t towards Rob specifically, he’s just human.”] “upset at the security incident at Epik but my anger isn’t towards Rob…” Yeah no, thank you, I appreciate that, JP. Yeah we… we did not nail that one. I think quite candidly that was some serious weak code, like hard-coding API keys… just weak sauce. And in reality, like I said earlier in the call, our top engineers mostly hadn’t seen that code because it was kind of blackboxed, behind a firewall, separate git repository, and not part of the Epik git. And that might sound surprising… [pauses to blow nose] sorry, I have a cold… considering that we’re like a registrar, but that’s basically because of the history of how that company became part of Epik"
 
Last edited:
4
•••
According to Rob Monster in the Q&A Epik's engineers dindn't have acess to this Git repository analysed by Micah Flee.

"Monster, YT1:34:19: Yeah, no absolutely. So Romans 8:28 says that all things work together for the good of those who love God, that are called according to His purpose. I believe all lemons are for lemonade. And I gotta tell you guys, yesterday was the hardest day of my life. Some of you wouldn’t know that, most of you wouldn’t know that, but I was actually at the closest I ever got to being broke. And it was a very hard day because so many things came at me from all different sides. You haven’t really lived, like I’ve walked through the fire right? For the last three years I’ve walked through the fire. And you can walk through the fire and it doesn’t burn you, that’s what i’ve learned. But there’s like a different level of fire when you have freaking Anonymous light your ass up. It’s on another level. And I have to tell you that yesterday totally took me to the threshold where I’m like “wow how much can I take?” So anyway, it all worked out though. It was a hundred thousand dollar critical hack, we plugged that gap, we didn’t lose any domains, thank God and [unintelligible] Yeah, we didn’t lose any domains and we actually gained more domains than we lost yesterday, that was a freaking miracle, but praise God. And then today too, I think we’ve probably gained more domains than we lost. Some of the people in media, they were not kind to us, but I absolutely think you’re right, Greg. It didn’t kill us, it’s gonna make us stronger. The code base that the Russians were totally safeguarding, they wouldn’t give our new engineers access to the git, now we know why: the code sucked. And ironically now we have them all
(...)
Monster, YT0:35:56: [reading chat. Full comment from “JP”: “I’m upset at the security incident at Epik, but my anger isn’t towards Rob specifically, he’s just human.”] “upset at the security incident at Epik but my anger isn’t towards Rob…” Yeah no, thank you, I appreciate that, JP. Yeah we… we did not nail that one. I think quite candidly that was some serious weak code, like hard-coding API keys… just weak sauce. And in reality, like I said earlier in the call, our top engineers mostly hadn’t seen that code because it was kind of blackboxed, behind a firewall, separate git repository, and not part of the Epik git. And that might sound surprising… [pauses to blow nose]"

Good point. I didn't think about that. Are you sure there are Epik devs in that repo?
 
0
•••
Someone needs to convince RM right now that he shouldn't show off those underground EMF/EMP-shielded bunkers on Twitter anymore, now that all the data has come out through another route. This, yes this, clearly shows that security is not yet in his DNA. And while you might think this is good marketing, in the end it isn't.

A better security starts today.

upload_2021-10-20_2-38-57.png
 
Last edited:
2
•••
well for me, I became involved with epik because of their name pros pricing and I fell in love with their detailed analytics and marketplace flexibility. Then I came to know Rob so I like them both and I'm very disappointed in the obvious shortcomings exposed by the hack. I just really hope that we could get behind them to help them bounce back because I really think they're a good force in our industry. Even Google is being destroyed by hackers. And I'm not some blind loyal fool. I'm not happy that there have been attempts to access my venmo and my Best buy accounts lately. I don't know where that's come from as far as I know it could be from Google too

You really should read through this thread, at least last 75 pages or so. Rob has told many lies about his products and services and when confronted, even years ago, calls people liars and threatens to sue them for slander. He has done the same post hack, threatening to sue pretty much everyone in the thread and the owners of NP and me several times, of course. As he has for years. It is what grifter criminals do.
 
Last edited:
0
•••
Could some of you domain and registrar experts help me calculate Epik revenues so I can figure out just how ridiculous this valuation is. For example:
I don't deal with valuations but Epik is by no means a small registrar. As of the latest ICANN stats (June 2021), it has 651,046 gTLD domain names under management. Of these, 496,702 are .COM registrations. This is a good thing. The majority of its registrations are legacy gTLD registrations with new gTLDs accounting for approximately 11.3% with .XYZ registrations being the largest of its new gTLD footprint.

When looking at a registrar's domain name footprint, the blue chip TLDs are the big ccTLDs, .COM and .ORG. The last two are considered blue chip because they renew well. Some of the new gTLDs (the geographical ones) have very high first renewal rates but the discounted new gTLDs have much lower renewal rates. From a stability point of view, having a high percentage (50% or more) of new gTLDs is generally a bad thing so Epik scores quite well in this respect.

Renewals are the lifeblood of registrars and registries. They are a more important indicator of a registrar's financial health than new registrations. The complete first renewal rates are only visible after the domain names go through their first renewal cycle so many of the new registrations from the last two years are going through their first renewal or have yet to go through their first renewal. (The 2020 registrations won't renew until 2021, the 2021 registrations until 2022 etc.) I crunched the multi-year renewal rates for gTLD registrar/hoster operators from 2021 to 2000 last month based on currently hosted domain names.

1) Number of domains hosted at epik and approximate profit per domain.
With a registrar that uses fixed registration fees, this would be easy. Epik uses discounting as a marketing tool so there is a range of pricing. It might be possible to estimate the overall profit using leaked data but it is not going to be reliable without knowing which registry discount offers Epik used in its marketing. The registries regularly run promotional offers for their registrars.

2) Number of web hosting accounts and approximate revenues/profit.
You have to know the hosting tiers (shared/dedicated etc), the price per account and the costs associated with setting up and maintaining the account. With retail registrars/hosters, many clients will host outside the registrar's infrastructure. This also means that they may not be hosted on the registrar's nameservers. (They may be using Cloudflare or a DIY web builder service.)

3) Break down of any other Epik products and services.
Again, the leaked data may provide some indications but it would require the costs for these services or products to be known and the number of accounts and duration to be known.

The media coverage of the Epik databreach has been almost completely focused on the political aspect. The journalists like simple explanations that don't require them to work hard and the political aspect is about the most simplistic angle on it. It is almost completely irrelevant to the rest of the world as it is local US politics.

The sheer scale of the compromise has actually worked in Epik's favour as even researchers who understand vulnerabilities and software struggle to deal with the hugh amount of data that often relates to a business outside their area of expertise. Even with the leaked data, calulating the precise valuation, turnover and profits of Epik would be difficult.

The registrar business is incredibly territorial with the top registrars in country level markets having around 80% or so of the domain names registered in that country. The only way into most of those markets is for an operator to buy the top registrars in the market. This is what Godaddy and Newfold Digital, UI and others have been doing for the last ten years or so. I publish an Excel based transactions (new/deleted/transferred) report each month that groups the main gTLDs by registrar/hoster operators. Some of the larger registrar/hoster operators have hundreds of hosting brands.

The hosting characteristics of Epik are very different to those of a typical retail registrar/hoster. This is because much of Epik's business is focused on its sales and domainer market. Just to put that market in some kind of perspective, approximately 9.5% of .COM is on sale. That's around 15 million domain names. While some of the domain names on Epik's sales platforms may be registered via Epik, others are not. This is because many portfolio operators tend to be very loyal to their main registrar but agnostic to where they post those domain names for sale. (Epik, Dan, Afternic, Sedo etc.) This is why the registrations on sales platforms are a bit of a nightmare to break down by registrar. Epik is not an accredited registrar in some ccTLDs but it has domain names from those ccTLDs on its sales platform. These may be registrants parking the domain names on Epik's sales platform or domain names registered via Epik but outsourced to a "registrations as a service" registrar which is accredited in these ccTLDs.

Sales platforms are also a bit of a problem to evaluate because unless they are charging a fee to list, they only make a profit when the domain name is sold via the platform. As a category, these domain names have different renewal trends to ordinary retail registrations. There are premium registrations that renew well (near 100%). There are almost premiums which can renew well. Then there are the highly optimistic registrations (often registered at a discount) which tend to be one year wonders.

Working out valuations for registrars (even those that simply offer registrations rather than hosting) without the registrar's financial documents and accounts is a complex process even with the current data because it also needs the historical data, the TLD market data, and enough information (revenue per domain, costs etc) to make reliable projections.

Regards...jmcc
 
13
•••
This is an interesting development that should not be overlooked.

"Monster, YT1:24:27: Yes. bugs [at] epik.com. Yes we do. In fact, funny you should ask. We have a very talented young developer in Belgium. His name is Guy. Like “Guy” but Belgians pronounce it “gee”, French. And Guy is developing a bug submission platform. We also have started a company that you might have come across called Cybermarks, and it is a cybersecurity boutique. You might say “wow guys, you guys are such clowns, why would you start a cybersecurity company?” Well, yeah. So the idea is… what can we do? So we hired a bunch of South Africans, like an elite team of cybersecurity people. They only were at it for a couple of months in terms of setting up their operation. They were working for a high-level firm. And they’re Kingdom guys, so they work for the Kingdom. They’re Christians. And the company that was employing them wanted to do some stuff that they didn’t feel comfortable with, and so they quit as a cohort, four of them, actually eight of them, but four elite cybersecurity guys, and we hired them. So that was about a month and a half ago. So Cybermarks.com is a division that’s being incubated by Epik. But I think we’re gonna hire quite a few heavy-duty cybersecurity guys, so if you’re on the side of good, you want to basically turn from the dark side or whatever. If you’re white hat and you want to be a force for good, Cybermarks would be a fantastic organization to be a part of I would say. We’re a pretty cool company, guys. I know that we look like clowns to some of you when you look at the cover, but check out epik.com/labs."

https://blog.mollywhite.net/monster-qa/
 
Last edited:
1
•••
Yep, you can file this under fallout from the Epik data breach, and the connections people have already made. This data breach likely played a major role.

I am sure this information is going to continue to be very interesting to the FBI, DOJ and other investigative agencies.

Jan. 6 committee subpoenas 'Stop the Steal' rally organizer Ali Alexander

https://www.politico.com/news/2021/...bpoenas-stop-the-steal-rally-organizer-515608
Anonymous are the good guys, and you know it
 
0
•••
Back