Dynadot

alert Epik Had A Major Breach

Spaceship Spaceship
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
What are real roots (motivation) of these attacks?
Competitors, discrimination, Trumpism etc. or what?
Epik must consider it firstly.
 
2
•••
But to rely on an algorithm that's been compromised for years for mass hashing is utter negligence.

Yes, and there's going to be no shortage of people pointing it out. So far, I've only looked at the data for Anonymize; it's possible that passwords for other services are using something better.

That being said, all hashing is just designed to buy time. Even if they were using bcrypt or argon2, the passwords would get out eventually. People should be changing their passwords regardless.

The biggest challenge for them in the near-term is going to be locking everything down. Again, I've only glanced at the data, but they appear to have a massive attack surface with a lot of moving parts. I suspect there's no shortage of holes, and there are going to be quite a few people combing through the dataset looking for additional vulnerabilities.

So, isn't this like, FederatedIdentity.com is the 3rd party, and then Epik.com stores pw in plaintext so that FederatedIdentity.com can authenticate it? And if that's the case, aren't all those Google+FB logins on unrelated websites extremely dangerous?

To give you an example, NamePros processes payments through Stripe. In order to authenticate with Stripe, a third-party service, NamePros needs to store a password in plaintext--not your password, just a password, one provided to use by Stripe. There's no way around that.

I don't know what the plaintext passwords I saw were intended to be used for, but there weren't many of them. The user accounts were using MD5 (which might as well be plaintext).

What are real roots (motivation) of these attacks?
Competitors, discrimination, Trumpism etc. or what?
Epik must consider it firstly.

Nobody is going to know until it lands in court. It's also by far the least important aspect of their immediate response, since their priorities should be securing their infrastructure and notifying affected parties.
 
Last edited:
6
•••
I'm in the security business and I fully understand that some passwords here and there will slip through the cracks and remain unprotected. But to rely on an algorithm that's been compromised for years for mass hashing is utter negligence.
What else do you suggest for password encryption, if not MD5 with salt? Isn't it impossible to decrypt if they use a random and strong key?

Edited
 
Last edited:
1
•••
Then why superbuggy Dynadot is not hacked???
 
2
•••
What else do you suggest for password encryption, if not MD5 with salt? It's impossible to decrypt if they use a random and strong key IMO.

Salted MD5 is not and will never be sufficient. It's entirely possible to crack. (Edit: The passwords I've seen so far in the breach did not appear to be salted anyway.)

Don't try to roll your own crypto. If you're working with PHP, use password_hash and password_verify--as of writing, those will use bcrypt or argon2, both of which are acceptable. If you're working with a different technology, consult the industry best practices. Do not try to come up with your own scheme.
 
Last edited:
7
•••
4
•••
Dynadot is not even 10% of the traditional hype around Epik...
That's why they live without such adventures.
 
5
•••
Then why superbuggy Dynadot is not hacked???
No reason for hack. No politics, no price hold. Lack of CEO presence. Almost like a normal nobody in people's eyes if you ask me.
 
3
•••
There is a big difference between hacking and ddos attack.
 
4
•••
What are real roots (motivation) of these attacks?
Competitors, discrimination, Trumpism etc. or what?
Epik must consider it firstly.
"Map out a decade of online fash with a level of clarity nobody has been able to until now."
"This dataset is all that's needed to trace actual ownership and management of the fascist side of the internet that has eluded researchers, activists, and well, just about everybody. And maybe have a little extra fun. For the lulz."
E_MWYxqVUAExCWZ.jpeg.jpg


Some people are in very hot water.
 
1
•••
This is really hectic 😨
Can we have best registrars to keep our Domains safe. For crypto we have nano ledger etc. or keep private keys...
Any best solution for keeping Domains safe?
 
Last edited:
1
•••
Last edited:
0
•••
Last edited:
1
•••
"Map out a decade of online fash with a level of clarity nobody has been able to until now."
"This dataset is all that's needed to trace actual ownership and management of the fascist side of the internet that has eluded researchers, activists, and well, just about everybody. And maybe have a little extra fun. For the lulz."
Show attachment 199383

Some people are in very hot water.

When certain hackers are all about freedom / anti-establishment, I can ride along with that to some degree. The compromising of people, putting their stuff at risk, invading privacy ...not so much
 
Last edited:
3
•••
More bad news coming, just got a newly regged name 'sold' on SH wholesale market and now buyer wants auth code. Goddammit. I even priced it higher than usual thinking it might not be sold and now this happens. What the hell am I gonna do?

Personally, I'm going to de-list my ~10 domains that are transfer-locked at Epik until I have the ability to move them out. Sadly I transferred them there recently to save a buck.
 
1
•••
Last edited:
7
•••
Last edited:
1
•••
Everyone gets hacked eventually, and MarkMonitor is no exception. Their situation wasn't as bad as Epik's appears to be, but it was still a blunder.

We're just going to see more and more of these issues as time goes on.
Wow, and this news is this month. To think someone had a chance to use coinbase to phish for bitcoins, or google to mess with everything.... ridiculous.
 
1
•••
Everyone gets hacked eventually, and MarkMonitor is no exception. Their situation wasn't as bad as Epik's appears to be, but it was still a blunder.

We're just going to see more and more of these issues as time goes on.
you're right but nothing is more disappointing and annoying than their silence, this is where you alert your users and ensure they take measures to avoid further damages like losing their domains (I'm pretty sure not everyone using epik knows about this yet)
 
4
•••
3
•••
Then https://www.cscdbs.com/en/domain-management/

Were are talking about the ROOTS/REASONS.
Not about the results and methods (HACKED).

Given a large enough attack surface and a sufficient supply of nefarious individuals, someone somewhere will eventually find a reason to hack anything. Let the courts get to the bottom of that; there's no point in speculating.

Otherwise, this is just going to turn into an unproductive flame war with one side claiming Epik had it coming and the other claiming it's a false flag operation, with both sides offering no evidence beyond a hunch.

There appears to be a lot of data here, and it's going to take researchers quite a while to get through it all, myself included. All that's known thus far is that you should change your passwords. I know everyone is eager to point fingers, but we just don't have the information we need to come to educated conclusions yet.

you're right but nothing is more disappointing and annoying than their silence, this is where you alert your users and ensure they take measures to avoid further damages like losing their domains (I'm pretty sure not everyone using epik knows about this yet)

Perhaps, but right now they're probably stuck trying to lock everything down and figure out what happened. Most sites can be taken offline during incident response; registrars don't really have that luxury. I'm sure there are plenty of frustrated people running on nothing but caffeine and anxiety right now.

Let's all learn from this: plan for breaches now; don't improvise as you go. Every website gets hacked. If you run a website and haven't already planned for that inevitability, now is the time to start so you're not fumbling in-the-moment.
 
15
•••
source twitter (old data - afternic lic)
eaiiio.jpeg
 
6
•••
I'm sure 1000%, that all these technical aspects are absolutely secondary in EPIK FAIL story.
 
1
•••
Epik might want to:

1) Shut everything down in the meantime. The sky would not fall. Why? There is a possibility of unauthorized transfers away...

2) Hire external security (server management, etc.) company and ASAP.

3) Clean/upgrade/etc all the systems and restore the service with obligatory passwords change, as well as 2fa reset, after next login.

4) Send email to all customers, but, for god's sake, without mentioning politics or anything similar.

5) Since Epik earned a certain level of trust (not with all the domaining community, but it is irrelevant in this context) - the honesty would be the key to survive. Some members right in this thread support epik, some don't, some like it, some don't, but it should be obvious enough that "disappeared" domaining-friendly registrar would not benefit the industry as a whole in any aspect.
 
10
•••
4) Send email to all customers, but, for god's sake, without mentioning politics or anything similar.
Somehow, it's, like, impossible, for them to separate their announcements from politics without activating a death curse.
 
5
•••
Back