Dynadot

alert Epik Had A Major Breach

Spaceship Spaceship
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Almost all of the credit cards have been censored; it's not clear by whom. I stumbled upon a handful that weren't, but for all I know they could've been Epik's or simple test data--there weren't many. I'm not sure how anyone can allege that they're valid without actually trying to use them.

That being said, there's no shortage of PII, which is going to make dealing with this a nightmare. We're still not entirely sure how we're going to combat the inevitable influx of attacks that arise from this.



I don't believe they were notified by the service itself. The attacker tried to brag about it on NamePros and claim he would be able to hack NamePros as well. I strongly suspect a number of industry blogs were also affected, but I don't know for sure which were actually compromised and which were simply on the attacker's radar.



When we believe that a NamePros account may be at risk in such a scenario, we lock it down and require a password reset. When such a user tries to log in, they'll be that we think their account has been compromised, but we don't get into specifics. I'm not sure it would be a good idea for us to disclose specifics or send out mass notices in response to suspected attacks on third-parties--that seems like it might be an ethical gray area. It's a little different when the information is already public and available to anyone who's willing to take the time to comb through the data.

We're looking into whether it makes sense to force password resets for NamePros accounts that might correspond to accounts in the Epik breach, but I'm worried that if the worst happens, the affected people may have trouble accessing their email. That's a worst-case scenario, but I'd like more info before acting.

So then that service is in danger of being sued as they are breaking laws by not letting users know.
 
3
•••
Censored for 3rd-parties, but available for hackers... They have it.
 
2
•••
Just read this!

https://domainnamewire.com/2021/09/16/epik-hack-what-we-know-what-you-should-do/

Here's an excerpt:
"A security engineer told The Daily Dot that the data includes the auth codes required to transfer domains to another registrar. It’s unclear if this data is tied to individual domains. This same engineer told The Daily Dot that the data includes WordPress admin passwords that people could use to take over Epik customers’ websites; I’m surprised by this because I wasn’t aware that these passwords were stored in any way that could be tied to a host."
 
2
•••
So then that service is in danger of being sued as they are breaking laws by not letting users know.

I'm a security professional, not a lawyer. I take issue with the lack of transparency and lousy security practices of that particular service, but I can't speak to the legality of it. As for the blogs, if they were compromised, I doubt the owners would know.

Censored for 3rd-parties, but available for hackers... They have it.

For the credit card numbers, possibly. It's not clear whether it was Epik or the attackers who censored them.
 
4
•••
1
•••
I'm a security professional, not a lawyer. I take issue with the lack of transparency and lousy security practices of that particular service, but I can't speak to the legality of it. As for the blogs, if they were compromised, I doubt the owners would know.



For the credit card numbers, possibly. It's not clear whether it was Epik or the attackers who censored them.

Did Namepros alert it's members to which service Paul?
 
1
•••
I am leaving my account wide open .. nothing changed .. for a reason .. the same reason I left my CC open the last breach I was involved in which netted 18 people with federal charges from the FBI ..
 
1
•••
What regarding AUTH codes?

I haven't looked at that data yet, but I wouldn't be surprised if those need to be stored in a reversible manner anyway, meaning hashing would prevent them from working. I'll wait for someone who knows more about EPP to speak on that.

Did Namepros alert it's members to which service Paul?

No, for several reasons:
  1. We're missing most of the data
  2. We strongly suspect multiple services were involved
  3. We don't really know which credentials came from which services--if the dumps aren't public, attribution is infeasible
  4. It seems like a bit of an ethical gray area when we lack a complete picture
 
2
•••
I do know for certain that at least one other service popular among domainers has been compromised recently, and the credentials obtained during the attack have been leveraged to gain access to NamePros accounts, since people tend to use the same password for all their accounts.
You're sure it's not Epik? That news article was saying that the data goes up till 28th Feb 2021. Wouldn't that mean Epik could've been hacked months ago?

May I ask if there was an attempted but failed login on my account? (It'll fail since I don't use the same pw) PM? Just wanted to see if I can pinpoint/exclude registrars that may have been hacked or not.

And what happened to the login email notifications I used to receive sometime back? Those are really useful even though it may be a bit "spammy". I don't see any option for this in the settings area either.
 
2
•••
(the incident was first reported by Monacelli)

ettf.png


Link TW

 
2
•••
You're sure it's not Epik?

Yes--it's not unusual for sites to get hacked. Most likely never find out.

the data goes up till 28th Feb 2021.

Or March 1, depending on the time zone. It's right on the month boundary.

Wouldn't that mean Epik could've been hacked months ago?

It's possible, yes. However, I don't think we've seen data from Epik in the credential stuffing attacks we've faced recently.

May I ask if there was an attempted but failed login on my account? (It'll fail since I don't use the same pw) PM? Just wanted to see if I can pinpoint/exclude registrars that may have been hacked or not.

Yes, there have been several. Most appear to have been you, but there was one mildly suspicious attempt from the UK on April 26. If that doesn't sound right, please DM or open a support request in the tech support forum.

And what happened to the login email notifications I used to receive sometime back?

They're still sent if anything about the login looks suspicious--for example, if you log in from a new location.
 
Last edited:
5
•••
Yes--it's not unusual for sites to get hacked. Most likely never find out.



Or March 1, depending on the time zone. It's right on the month boundary.



It's possible, yes. However, I don't think we've seen data from Epik in the credential stuffing attacks we've faced recently.



Yes, there have been several. Most appear to have been you, but there was one mildly suspicious attempt from the UK on April 26. If that doesn't sound right, please DM or open a support request in the tech support forum.



They're still sent if anything about the login looks suspicious--for example, if you log in from a new location.
Fantastic input and efforts, Paul. Thanks.
 
9
•••
This is a well-organized, and well-planned campaign against E. ( Should E buy HD's EpikFail .com asap or ?)

wee.png


Link TW
 
Last edited:
10
•••
LINK: https://www.dailydot.com/debug/epik-hack-far-right-sites-anonymous/

"A Linux engineer tasked with conducting an impact assessment on behalf of a client who uses Epik’s services told the Daily Dot that the breach was one of the worst he had ever seen. The engineer did not have permission to speak about the breach by his employer and was granted anonymity by the Daily Dot.

“They are fully compromised end-to-end,” they said. “Maybe the worst I’ve ever seen in my 20-year career.”

The engineer pointed the Daily Dot to what they described as Epik’s “entire primary database,” which contains hosting account usernames and passwords, SSH keys, and even some credit card numbers—all stored in plaintext.

The data also includes Auth-Codes, passcodes that are needed to transfer a domain name between registrars. The engineer stated that with all the data in the leak, which also included admin passwords for WordPress logins, any attacker could easily take over the websites of countless Epik customers.

The Daily Dot was unable to confirm the claims made in the press release by Anonymous that every single one of Epik’s customers were exposed in the breach.

Analysis suggests that hacked data goes up until Feb. 28, 2021. The data’s release comes just days after hackers aligned with Anonymous defaced the official website for the Republican Party of Texas over the state’s new restrictions on abortion."
 
4
•••
10
•••
Wow I have been out of the loop on this, just caught up to the last post.

This is the type of attack the left loves to see, as you can witness from the relentless commentary of those on the left everywhere, their foundation of hatred is shown when one of their adversaries suffers a loss of any kind. The left wants total control of speech in a hegemonic way, and if you think Epik getting attacked like this is good, you are likely an authoritarian that belongs to that group of individuals. Liberty ends when speech is controlled, that's why we must fight with everything we have to ensure companies like Epik survive. Domains are the last frontier for our liberty worldwide, no doubt they will be attacked relentlessly.

The good thing is this, domains are a strong frontier. These tools are way stronger than any social media handle individually, and that's what we have to remember when we see a whole registrar come under attack in a coordinated effort. This is a WAR and the losers always play dirty.

As far as Auth codes go, you can just lock your domains and the auth codes won't matter. You can also have the domains "super locked" to prevent fast transfers inside your account, should you need that extra layer of security. Although I haven't been at Epik since the beginning of July, I don't see how this breach will affect domain names at all. It sounds like the person who wrote the description of the breach has little knowledge of how domain names truly operate.

The Epik tech team is highly skilled and competent, worked together with them for almost 2 years and I can say they are incredible human beings from the work they do every day. The only thing this attack will yield is a higher level of competence for that team, I have no doubt about it. I say that as a non-employee customer.
 
24
•••
Wow I have been out of the loop on this, just caught up to the last post.

This is the type of attack the left loves to see, as you can witness from the relentless commentary of those on the left everywhere, their foundation of hatred is shown when one of their adversaries suffers a loss of any kind. The left wants total control of speech in a hegemonic way, and if you think Epik getting attacked like this is good, you are likely an authoritarian that belongs to that group of individuals. Liberty ends when speech is controlled, that's why we must fight with everything we have to ensure companies like Epik survive. Domains are the last frontier for our liberty worldwide, no doubt they will be attacked relentlessly.

The good thing is this, domains are a strong frontier. These tools are way stronger than any social media handle individually, and that's what we have to remember when we see a whole registrar come under attack in a coordinated effort. This is a WAR and the losers always play dirty.

As far as Auth codes go, you can just lock your domains and the auth codes won't matter. You can also have the domains "super locked" to prevent fast transfers inside your account, should you need that extra layer of security. Although I haven't been at Epik since the beginning of July, I don't see how this breach will affect domain names at all. It sounds like the person who wrote the description of the breach has little knowledge of how domain names truly operate.

The Epik tech team is highly skilled and competent, worked together with them for almost 2 years and I can say they are incredible human beings from the work they do every day. The only thing this attack will yield is a higher level of competence for that team, I have no doubt about it. I say that as a non-employee customer.

Blah Blah Blah.

Left, Right, Center it doesn't matter. Epik just like any other company is tasked with protecting sensitive data.

From all reports, in this case they seem to have failed. That has nothing to do with politics.

Additionally, allegedly storing much of this information in plaint text? Come on.

Epik, and anyone associated with Epik, needs to address the actual concerns regarding the disastrous data breach, instead of trying to turn it into some political bullshit.

Brad
 
25
•••
How can you blame the victim . I don't understand it. Epik is victim here. Am I missing something in all of this. Itz like trying to justify the hack.

At the end of the day Epik, like any other company, is tasked with protecting customer's data.

They apparently failed at that, including storing crucial data in plain text.

How are they the victim? When Verizon is hacked are they the victim? When T-mobile is hacked are they the victim?

The real victims are the customers who potentially had sensitive information leaked.

If you want to be a big boy company, you need to accept responsibility when you fail to safeguard data and not play the victim.

Brad
 
Last edited:
10
•••
Wow I have been out of the loop on this, just caught up to the last post.

This is the type of attack the left loves to see,

Please stop with the politics. So boring.

The Epik tech team is highly skilled and competent
I'm sorry, but this week's events dispute that claim.
 
9
•••
Please stop with the politics. So boring.

Nah this is a political attack, if it bores you there is an IGNORE button you are welcomed to click anytime. Domain names are the final attack vector they can't shut-down, they've successfully done so with hosting through AWS for example, but domains are practically untouchable. Which is why they matter so much and why they have to focus on registrars to try to affect their operations.

Domains are indeed politically neutral, a big reason why the left is so unhinged on trying to shut them down politically. There is nothing more powerful than a domain, their desperation is blatantly obvious.

I'm sorry, but this week's events dispute that claim.

The hack appears to have taken place off-site, meaning none of the Epik services were actually breached. I worked there for almost two years and I know what it takes to access that backend. This has much bigger implications than what a single team would be responsible for, it likely involves a major company that is also politically inclined to the hardcore-left and they were the ones compromised. How? Who knows. Hopefully we find out so we can all pivot.



Blah Blah Blah.

Left, Right, Center it doesn't matter. Epik just like any other company is tasked with protecting sensitive data.

From all reports, in this case they seem to have failed. That has nothing to do with politics.

Additionally, allegedly storing much of this information in plaint text? Come on.

Epik, and anyone associated with Epik, needs to address the actual concerns regarding the disastrous data breach, instead of trying to turn it into some political bullshit.

Brad

Brad, you're ignoring the substance of the attack. This is entirely political. The plain text stuff is not something I'm qualified to judge, but if you think the politics is "blah blah blah" then you're missing the point. Division is driving this attack and Epik has been singled out for a very long time for being willing to stand up for the right. It is a problem everyone from the center, to the right faces worldwide. This includes libertarians, voluntarysts, and centrists.

Like I said, I'm not speaking as an Epik employee (haven't been since early July), simply as someone who has been on the receiving end of hate and prosecution for not being a left-winger. The entire argument falls apart when you realize most of us are not even right-wing, we are libertarian and freedom-loving individuals willing to defend the rights of all parties who wish to transact with us. If that doesn't concern you, then you still haven't been faced with the possibility of you yourself being attacked for not agreeing entirely with the agenda at hand.

I'm sure the team is going to review all attack vectors and revert to a safer procedure. Like I said, this only made Epik stronger and more self-aware. At least that is my perspective from the outside. We all have a vested interest in making Epik stronger, if one registrar falls for hosting a certain type of political content, no registrar is safe and the entire idea of a domain name being a strong citadel against political neanderthalism will be erased.

Anyway, back to work! Good talking to you all.
 
17
•••
This is a well-organized, and well-planned campaign against E. ( Should E buy HD's EpikFail .com asap or ?)

Show attachment 199491

Link TW

Not shocking, as most fascist driven attacks are. It's fascinating and equally depressing, how so many people are invested in speaking about the damage that has occurred to Epik, while being intentionally apathetic to the point of avoiding and even shutting down any discussion regarding why the attack and damage occurred in the first place.

Truly sad times we're in.
 
Last edited:
9
•••
and why they have to focus on registrars to try to affect their operations.
Dan, companies are hacked of all sorts are hacked every week, many by Anonymous. Yet this is the first major registrar I've seen breached recently -- and the only by Anonymous (which is much more of loose collection of trolls and opportunists rather than a political or ideological organization). Given this is the first, how can you claim that there is a "focus" on registrars?

The hack appears to have taken place off-site, meaning none of the Epik services were actually breached. I worked there for almost two years and I know what it takes to access that backend.
Did you look at the breach files? It most definitely took place on-site.

And if you peak into the home folders of the server that was leaked, you see most of their DevOps team had unprotected SSH keys in their home folders which granted lateral root access to other servers on their network. That is unsafe and is frankly a display of incompetency.

With respect, it is comical to say that Epik's team is "highly skilled and competent" after suffering a breach of this magnitude. They had a job to protect their infrastructure and their customers' data and they failed, epicly.

Also, if this was a long-term backup server that was breached, as Rob stated, there is no reason for it to be left unencrypted.

it likely involves a major company that is also politically inclined to the hardcore-left

No. Lol.
 
Last edited:
3
•••
Wow I have been out of the loop on this, just caught up to the last post.

This is the type of attack the left loves to see, as you can witness from the relentless commentary of those on the left everywhere, their foundation of hatred is shown when one of their adversaries suffers a loss of any kind. The left wants total control of speech in a hegemonic way, and if you think Epik getting attacked like this is good, you are likely an authoritarian that belongs to that group of individuals. Liberty ends when speech is controlled, that's why we must fight with everything we have to ensure companies like Epik survive. Domains are the last frontier for our liberty worldwide, no doubt they will be attacked relentlessly.

The good thing is this, domains are a strong frontier. These tools are way stronger than any social media handle individually, and that's what we have to remember when we see a whole registrar come under attack in a coordinated effort. This is a WAR and the losers always play dirty.

As far as Auth codes go, you can just lock your domains and the auth codes won't matter. You can also have the domains "super locked" to prevent fast transfers inside your account, should you need that extra layer of security. Although I haven't been at Epik since the beginning of July, I don't see how this breach will affect domain names at all. It sounds like the person who wrote the description of the breach has little knowledge of how domain names truly operate.

The Epik tech team is highly skilled and competent, worked together with them for almost 2 years and I can say they are incredible human beings from the work they do every day. The only thing this attack will yield is a higher level of competence for that team, I have no doubt about it. I say that as a non-employee customer.

Great post! I agree with you and it's a shame others are unable to see the motive for what it is, as that's an integral part of the discussion. It's crazy to see so many people here avoiding the elephant int he room, to the point where they are responding to your comment above with "blah blah blah". Hopefully Epik recovers from this, but as you stated, this is precisely what people with radical ideologies wish to see.

Cheers!
 
10
•••
Dan, companies are hacked of all sorts are hacked every week, many by Anonymous. Yet this is the first major registrar I've seen breached recently -- and the only by Anonymous (which is much more of loose collection of trolls and opportunists rather than a political or ideological organization). Given this is the first, how can you claim that there is a "focus" on registrars?


Did you look at the breach files? It most definitely took place on-site.

And if you peak into the home folders of the server that was leaked, you see most of their DevOps team had unprotected SSH keys in their home folders which granted lateral root access to other servers on their network. That is unsafe and is frankly a display of incompetency.

With respect, it is comical to say that Epik's team is "highly skilled and competent" after suffering a breach of this magnitude. They had a job to protect their infrastructure and their customers' data and they failed, epicly.

Also, if this was a long-term backup server that was breached, as Rob stated, there is no reason for it to be left unencrypted.



No. Lol.

No, I didn't look at the files. Just going by what has been shared so far publicly. Not saying they didn't have fault in the issue, but from what Rob has said so far it doesn't seem to have happened at Epik.com itself. Agreed they should have done a better job at encrypting.

AWS is politically inclined to take down sites like Parler, wouldn't you agree?

The focus is on THIS registrar because there is a large number of individuals who are targeted by far-left groups who want all dissenting voices silenced. Wether those voices are correct or not, it is not their job to arbitrarily shut-down their sites by targeting a registrar that hosts them. Places like Godaddy are quick to act at the behest of these groups out of fear of losing their perception of wokeness. Epik is a place that has been protective of ALL voices, even those they don't personally agree with. I have seen it in action. There is no doubt a place like Epik is a danger to those who want a hegemonic voice of truth.
 
12
•••
so sad the level of hatred and the NamePros community is so divided!

Cheers
Corey
 
19
•••
Back