Dynadot

alert Epik Had A Major Breach

Spaceship Spaceship
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Yes, the attack on her was reprehensible. She was intimidated, doxxed, and threatened by Epik related parties. Now it appears to go far deeper than just some random events of chance. It appears to have been some orchestrated campaign.

Brad

@Molly White

1) 111.png

...

2)222.png

3)
TLDR: Epik bug bounty program failed to act on reported security holes, but instead allegedly paid out $2,000 in what appears to be some kind of human bounty program? That doesn't sound like very reasonable christian/security-minded folk to me.

Perhaps epik should dismantle their human/journalist bounty program, and redirect that time/energy/money to fixing/developing a working security bug bounty program. You know, this time for fixing actual security bugs, instead of harassing buggy people.
 
Last edited:
10
•••
Side note: obviously, being a public forum, some of the replies to this thread are now circulating on Twitter.
 
Last edited:
5
•••
About the obligation to notify of a breach under GDPR
https://ec.europa.eu/info/law/law-t...ch-and-what-do-we-have-do-case-data-breach_en


Googling this turned up quite a few ads for law firms offering to seek compensation for anyone affected by a breach!

Example amounts of compensation for breaches:

https://www.data-breaches.co.uk/data-breach-protection-claims-and-compensation/amounts/

How much is the average compensation for breach of the Data Protection Act?
The average compensation for breach of the Data Protection Act is between £1,000 and £42,900. In some cases, you may be able to claim more compensation for personal data breach that causes you distress.

Example compensation amounts for distress caused by GDPR data breach
The average compensation awarded for GDPR data breaches is between £1,000 and £42,900, however, in some cases, you can claim more compensation if the breach of your personal data has caused you distress.

Do I have to go to court to get compensation for a breach of data protection law?
The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. You do not have to go to court to obtain compensation, as the organisation may agree to pay you. If the company does not agree to pay, you may need to make a claim in court to claim your compensation. You can claim for both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress). You do not have to make a court claim to obtain compensation – the organisation may simply agree to pay it to you.
 
6
•••
Last edited:
2
•••
Last edited:
5
•••
2
•••
harboring sites that have a dangerous call to action, like with Gab

Do you even use Gab? I'm there daily. It's not the site you think it is. Just a place that Conservatives feel more comfortable posting. Places like Twitter, Reddit, and Facebook will all censor you. I'm not okay with that. If I want to express something that's unpopular I should allowed to do so. Epik doesn't harbor sites, Epik has taken a stand against tyranny. That's why Gab and Epik will survive. It is not yet against the law to say something unpopular. There are growing consequences of course and that's very unfortunate but realize that your freedoms are being fought for even if you don't like it. One day, you might want to say something unpopular and have nowhere to post it.

On another note, I'd like to actually see the data stolen. Not gonna DL GB's to do it but I'd love to see the format. Are the PW's really in plain text? How many tables were grabbed. What's the schema? Does the data contain what domain names are owned by the accounts?

btw, quick story about Epik. I have a problem with my accounts being a target. When I moved all my domains to Epik I had spoken to Rob about it, he assured me things would be fine. Wasn't too long before indeed my Epik account was stolen by crafty social engineers towards their support system. I was back and forth with Rob for a few days because my account would get recovered then stolen again. No domains were lost but my PW was continually being reset and my access lost. Rob worked with me to increase the security and end the problem and since then it's been solid. My point is that despite being flawed Epik is going to do their best to stop domain thefts. And until they fail that mission, I'll be happy to stay there. We should all help them with suggestions and methods of improving their service.

If you are still in love with the man then you should settle that private matter in a bedroom.

Wow. Supporting a business that shares your political views doesn't mean you're in love. I don't shop Walmart but that doesn't mean I hate them. I'd leave Epik the moment they stopped serving my purpose. Until then, they have my support. I spent years at Moniker, then at Uniregistry, and now Epik. Notice the pattern? These are domainer registrars. Who is better right now than Epik if you're a domainer? Give me the link please.

We are analyzing the data with a focus on identifying sites that spread COVID misinformation (others are looking for fash, why duplicate efforts)

And that is just unacceptable. If you don't see the evil behind this and that Rob is fighting the good-fight, there is no hope left in the world. Someone out there is under the belief that discussions that don't fall under the government allowed topics should be hacked, exposed, and probably worse. Are any of you okay with that? If anything this strengthens my resolve to help Rob and stick with Epik.

btw, GDPR is a joke for US citizens and companies. They can't do anything about it if you don't comply. Americans don't need to follow EU laws. There are no real consequences.
 
5
•••
Do you even use Gab? I'm there daily. It's not the site you think it is. Just a place that Conservatives feel more comfortable posting. Places like Twitter, Reddit, and Facebook will all censor you. I'm not okay with that. If I want to express something that's unpopular I should allowed to do so. Epik doesn't harbor sites, Epik has taken a stand against tyranny. That's why Gab and Epik will survive. It is not yet against the law to say something unpopular. There are growing consequences of course and that's very unfortunate but realize that your freedoms are being fought for even if you don't like it. One day, you might want to say something unpopular and have nowhere to post it.

Gab literally hosts domestic terrorists. Disgusting that you go there daily. It's also not true that Facebook censors conservatives. The top 10 posts daily are conservatives. I can show you this. I can also show you the crowd on Gab.
 
Last edited:
1
•••
btw, GDPR is a joke for US citizens and companies. They can't do anything about it if you don't comply. Americans don't need to follow EU laws. There are no real consequences.

GDPR is great and yes they can, if American companies don’t want to follow GDPR laws, they should block all EU (and UK) citizens from accessing their site (which some do), even logging IP addresses data protection laws apply.

American companies that deal with EU/UK citizens have to abide by GDPR and I'm sure various other data protection laws wherever a particular person is from in the world by law.
 
Last edited:
8
•••
I don't get involved in political issues, I always try to do good to others not just around me but all around the world without requiring their full bio and beliefs.
The data exposed will harm people that never even heard of the things that the group uses to justify this action, hurting people without any sort of affiliations and some even more left-wing than the attackers. Yes, this was an attack to the privacy and security of thousands of persons.
I ask this: is that fair or simply don't care? The later, I'm sure.
 
Last edited:
4
•••
Epik Suggestion: On the checkout page, the "Save Credit Card" should NOT be checked by default. I almost forget to uncheck this every time.

Please change to default to "Not Checked".
 
7
•••
We are analyzing the data with a focus on identifying sites that spread COVID misinformation (others are looking for fash, why duplicate efforts)

Someone out there is under the belief that discussions that don't fall under the government allowed topics should be hacked, exposed, and probably worse. Are any of you okay with that?

I would be okay with other WHOIS privacy services getting hacked, and released for transparent public knowledge. It would literally be the domain name version of the panama papers transparent distribution, right?

GoDaddy WHOIS proxy probably being the largest database, would surely release more connections to covid misinformation sites than the marginally smaller anonymize.com database leak.

Who's to say the breach only effects the political right wing? Are we to assume nobody from the left had their information exposed in this breach? And when did it become more about bad politics than poor security?

Governments selectively subpoena this information all the time. What's the harm in removing all WHOIS privacy?

It just so happens to be that due to a combination of epikly poor security and unfavorable opinions collided, resulting the leak we see now. As unfavorable is subjective, surely GoDaddy/NameCheap etc have some folks who view them with an unfavorable opinion, but the difference here appears to be GoDaddy/NameCheap actually take their customer information seriously, until proven otherwise as we saw with epik who claimed to take security seriously as well, but just didn't have the code/updates/bugbounty to walk the talk.

Not gonna DL GB's to do it but I'd love to see the format.


Are the PW's really in plain text?

Apparently they lacked salt or hash.


...


..


...

 
Last edited:
7
•••
3
•••
6
•••
GDPR is great and yes they can, if American companies don’t want to follow GDPR laws, they should block all EU (and UK) citizens from accessing their site (which some do), even logging IP addresses data protection laws apply.

American companies that deal with EU/UK citizens have to abide by GDPR and I'm sure various other data protection laws wherever a particular person is from in the world by law.

And US companies do get fined under GDPR:

https://www.usitc.gov/publications/332/executive_briefings/gdpr_enforcement.pdf
GDPR Fines against U.S. Companies Since May 2018, EU member state data regulators have imposed fines on many companies for GDPR
violations. Although a majority of these fines have been low in value, the EU has collectively imposed
more than €380 million ($417 million) in total fines under GDPR.1 The second and third largest fines were
imposed on U.S.-based multinational companies Google and Marriott (table 1), while the largest so far
was a £183 million ($229 million) fine imposed by the UK Information Commission Office (UK ICO) against
British Airways. In July 2019, the UK ICO issued a £99 million ($118 million) fine against Marriott after the
company discovered an earlier data breach in November 2018; this breach originally occurred in late 2014
in affiliate firm Starwood’s data before Starwood was acquired by Marriott, and before GDPR was
implemented. This breach ultimately compromised the passwords and credit cards records of 30 million
EU residents. The UK ICO’s fine against Marriott represented 3 percent of its worldwide annual revenue,
which is close to the maximum penalty allowed by GDPR.

https://www.compliancejunction.com/gdpr-for-us-companies/
The reputational damage to companies that do not comply with the new law could be more costly than the GDPR fines themselves.

It is very possible that some of your competitors will be preparing to use GDPR compliance as a competitive advantage to position themselves ahead in the marketplace.

Are you prepared to suffer the reputational damage that non-compliance could bring to your company? In the months and years ahead, data privacy could become the new arena for marketers to compete and win new customers, and your company should be preparing for that battle.
 
8
•••
I would be okay with other WHOIS privacy services getting hacked, and released for transparent public knowledge. It would literally be the domain name version of the panama papers transparent distribution, right?

GoDaddy WHOIS proxy probably being the largest database, would surely release more connections to covid misinformation sites than the marginally smaller anonymize.com database leak.

Who's to say the breach only effects the political right wing? Are we to assume nobody from the left had their information exposed in this breach? And when did it become more about bad politics than poor security?

Governments selectively subpoena this information all the time. What's the harm in removing all WHOIS privacy?

It just so happens to be that due to a combination of epikly poor security and unfavorable opinions collided, resulting the leak we see now. As unfavorable is subjective, surely GoDaddy/NameCheap etc have some folks who view them with an unfavorable opinion, but the difference here appears to be GoDaddy/NameCheap actually take their customer information seriously, until proven otherwise as we saw with epik who claimed to take security seriously as well, but just didn't have the code/updates/bugbounty to walk the talk.






Apparently they lacked salt or hash.


...


..


...


The more that comes out about this, the level of incompetence becomes even more apparent.

Companies face attacks quite often. In this case poor security measures appear to have lead to many of the issues.

Brad
 
Last edited:
7
•••
I am curious what "alternative news" epik retail clients will do now. They must be discussing everything in private groups or chats, no doubts...

Switch registrar? Yeah they can try, but, since no other icann-accredited registrar would welcome them, this method will not work.

Remain with Epik? They no more trust Epik, obviously.

So...

Best guess: they will shut their .com domains down, earlier or later, voluntary, and will switch to other extensions. Iceland (.is), or maybe former USSR .su -this tld still exists and is managed by Russia. One of known "alternative" websites is well and alive under .su (after having major issues with its .com).

Russians everywhere? LOL. Sold bad code to Epik, are providing domain in .su tld to at least one "alternative" U.S.-facing website, etc., etc., etc...

Moreover, the new domains would not have any real ownership info even in .su/.is/whatever registries - the owners likely learned their lesson.

But we are all domainers here. Actually, not having "toxic" clients will help Epik to survive as a domainers registrar. Which is a positive outcome...
 
2
•••
I am curious what "alternative news" epik retail clients will do now. They must be discussing everything in private groups or chats, no doubts...

Switch registrar? Yeah they can try, but, since no other icann-accredited registrar would welcome them, this method will not work.

Remain with Epik? They no more trust Epik, obviously.

So...

Best guess: they will shut their .com domains down, earlier or later, voluntary, and will switch to other extensions. Iceland (.is), or maybe former USSR .su -this tld still exists and is managed by Russia. One of known "alternative" websites is well and alive under .su (after having major issues with its .com).

Russians everywhere? LOL. Sold bad code to Epik, are providing domain in .su tld to at least one "alternative" U.S.-facing website, etc., etc., etc...

Moreover, the new domains would not have any real ownership info even in .su/.is/whatever registries - the owners likely learned their lesson.

But we are all domainers here. Actually, not having "toxic" clients will help Epik to survive as a domainers registrar. Which is a positive outcome...

My opinion on Monday we're going to see folks not showing up to work, as they know their employers are about to find out about their secret lives.

By Friday we're going to hear of actual firings with press releases, as businesses realize that employing terrorists is bad.

HOWEVER, I've seen evidence that there was an extra level of redactions on some of the most egregious sites, and the info was not exposed, as if someone manually did this as a favor to the site owners (some of you PM the ceo to ask for personal favors all of the time I have learned in this thead, I'm sure these high profile ideological sites that he wants to preserve get even extra special treatment). So those folks are going to stay and repay Rob for his loyalty to their cause.

But, will the hackers leave something open? Are they going to reveal everything?

To me, it feels like Rob is learning about this like we are, but we'll see. He's untrusthworthy and vague.
 
1
•••
I'm furious that they kept failed password attempts in plain text because I specifically remember how often I would forget the password there and spend minutes trying everything I could think of.

Even not supporting this evil company anymore gets me embroiled in this mess.
 
Last edited:
1
•••
I'm furious that they kept failed password attempts in plain text because I specifically remember how often I would forget the password there and spend minutes trying everything I could think of.

Even not supporting this evil company anymore gets me embroiled in this mess.

Question, HOW DOES THIS HAPPEN?

Why would there be logs for this?

Who were these logs for? Who coded that? Who had access to those logs? Everyone at Epik?

Was there really another breach in 2020?

The data in this breach is WILD.
 
7
•••
@Beezy,

The man posted here, while, not obligatory, -fact one could argue, people like you, will see negative all his posts —regardless substance.
It seems you are seeing nefarious actions that are not there. Rob is more trustworthy than any other Ceo, since he u kno“actually posted”amazing thing, posted before, & still more after

Once more, i would like to take the opportunity, to thank @Rob Monster for actually replying.

Samer
 
Last edited:
2
•••
Rob is more trustworthy than any other Ceo, since he u kno“actually posted”
Lol, wut tf?

Such an absurd statement that doesn't jibe with reality in the slightest.

I'm having to spend my day changing passwords on dozens of accounts because of R.M.'s shitshow, and here you are fanboying as usual. Get a grip dude.
 
Last edited:
11
•••
When I see "123" and "toor" passwords of admins and even in plain text - I have no comments, Swiss bank of domains.
 
13
•••
When I see "123" and "toor" passwords of admins and even in plain text - I have no comments, Swiss bank of domains.

It seems more like the Swiss cheese of cybersecurity, with all the holes in it.

Brad
 
11
•••
At this point even 2FA or whatever won't help since anyone can just screw around using the admin accounts.
 
5
•••
Back