IT.COM

alert Epik Had A Major Breach

Spaceship Spaceship
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Quoting from Molly's transcript, I guess it was around that time, May 2020:

Monster, 3:38:54 There was a time when, before Epik became more wildly successful, there was a time actually during the time of COVID when a lot of businesses were shutting down, and you couldn’t actually borrow any money very easily. And so we had refinanced the house and I used the proceeds of the refinance of the house to keep everybody fully employed at Epik. And that at the time was slightly awkward [unintelligible] but it all worked out, and we’re better off for it.

Also from the transcript::https://blog.mollywhite.net/monster-qa/
Monster, 0:15:06 ... And then in June of this year, we raised $32 million. And we ended up basically being able to just dramatically…
 
Last edited:
3
•••
The last email from Epik ("Update and Options for Affected Epik Users", dated Sep 20th) appears be written by a lawyer. Which is a good sign - no politics, no religion. It is unfortunate that the lawyer is so US-centric that (s)he forgot about non-U.S. epik customers. With all due respect, non-U.S. customers are unable to call U.S. tollfree 800 numbers, and all the references to "free credit monitoring", "Federal Trade Commission" and the like are irrelevant outside U.S...
 
17
•••
4
•••

jiFfM.jpg
 
8
•••
Toxicity is on maximum now.
Regardless of fakes or not, experiments, honeypot etc.
 
0
•••
Very interesting...

I am also sure the DOJ and FBI will absolutely love information about their investigation and subpoenas being revealed in this data breach.

Brad

There is another angle of Epik that could invite investigation, especially of customers: Tax.

Rob Monster had been advertising their escrow services on here saying that could help sellers transact "tax-free": That certainly could attract attention.

https://www.namepros.com/threads/if...ng-time-and-money.1119508/page-2#post-7080342

Which was in reply to this claim: https://www.namepros.com/threads/if...-wasting-time-and-money.1119508/#post-7079390

In the UK you have to say on your tax return if you used any tax avoidance schemes. Forget to say so, get in trouble later. Say yes and you have to identify what you did so the taxman can look into it.
 
Last edited:
5
•••
- WLM was disabled as well not working (impossible to fixing, Noel staff don't know what is White label marketplace powered by Epik).

- Free WordPress option for new installs unavailable anymore.
 
Last edited:
1
•••
not that common

certainly not among registrars
What I meant and should have said, it is common among the micro circle of owners that I know.
 
Last edited:
0
•••

...

In fairness, not referring to the extra step that requires the registrar to register a searched domain in order for it to be front running, but referring to when you search for a domain at Godaddy, add to cart, a few days/weeks/months later, it's not uncommon to receive an email from Godaddy or asking if I'd like to continue with my purchase.

I would however challenge whomever has access to the alleged table that contains every domain that was ever added to cart at epik, to audit that table against domains currently owned by epik or an epik employee, as that evidence would be needed to prove domain front running. As is, isn't the storing items added to cart common practice, or is that limited to Ebay/Godaddy?
 
Last edited:
7
•••
Looks that all activity on Epik is tracked and logged...
 
0
•••
Why was Epik storing sensitive information in plain text? It's 2021, how many hacks and leaks have we seen to learn from? And still, we have to deal with companies like Epik leaking sensitive information in PLAIN text? Just incredible stupidity.

The only upside to this breach is this: "Monster acknowledged the breach in the meeting, alleging that the attackers not only hacked a backup of the company’s data, but also made away with $100,000 from his Coinbase account using information obtained from the breach."

I'm glad that karma is biting them in the ass for this. Albeit, at our expense as well.
 
Last edited:
3
•••
"Negligence to protect your information by the company may face a lawsuit for the damages incurred."

What damages?

"Great my email address is compromised now...cuz I had the same password as Epik."

Please let that be sarcasm. It's incredibly poor security practice to use the same password across services/sites. And yes, just as bad as Epik storing our PW's in plaintext.

ROBMONSTERENABLESNAZIS.COM is sad. Rob, please ignore the trolls. They're gonna do what they're gonna do. Fighting them just makes more of them come out of the woods. When they figure out you don't give a crap and that their trolling doesn't effect you, they crawl back into their holes waiting for some other target. They were trolls before they found you and they'll be trolls long after you're destroyed, if you allow it. Ignore them, no matter what nonsense they say.

I own the domain KillCops.com, I am not for killing cops, I have never used the domain and likely never will. Just something I bought for $10 years ago. Who cares if Rob has some Nazi domains. I got some .gay domains too, not gay. This type of nonsense in this thread is really beneath some of you.

Looks that all activity on Epik is tracked and logged...

Not uncommon as a security practice. But I cringe since a very common and practically required security practice is to encrypt passwords. IMHO basically whoever is in charge of security, should get fired. Rob ain't a coder. I tend to doubt he has the technical expertise to properly project manage his company. This is why Steve Jobs and Bill Gates created two of the largest tech companies in the world. Rob is just a dude. Maybe he seriously didn't understand best-practices or how to implement good security.

Rob imho needs to hire someone really competent as CTO. Current CTO has to take the hit for this imho. Sorry to whoever you are dude but let's face it, unless Rob specifically told you to leave it that way it was up to you to ensure the PW's were encrypted. Also up to you was to make sure the backup location was secured. You do know that you could have put a password on the downloaded archive file too right? Create dumps, zip and archive, add password protection (256 character) and upload to backup site.
 
9
•••
Why was Epik storing sensitive information in plain text? It's 2021, how many hacks and leaks have we seen to learn from? And still, we have to deal with companies like Epik leaking sensitive information in PLAIN text? Just incredible stupidity.

The only upside to this breach is this: "Monster acknowledged the breach in the meeting, alleging that the attackers not only hacked a backup of the company’s data, but also made away with $100,000 from his Coinbase account using information obtained from the breach."

I'm glad that karma is biting them in the ass for this. Albeit, at our expense as well.

Well, they also appeared to be storing VPN information related to Anonymize.com which was easily trackable back to third parties. It kind of defeats the purpose of a VPN.

Brad
 
4
•••
As per one of twits:

There are entries in the LOGS tables that contain security questions and answers in plain-text, attached to each transaction the user made with Epik.

(Screenshot attached: city born, school name etc.)

I tried to find this section inside my epik account (an old dormant account with no domains, if that matters). Cannot find it anywhere. Yeah, I can change password and/or setup or change 2FA - thats all. No security questions section. Where is it this section located? Can anybody confirm please?
 
Last edited:
4
•••
Rob ain't a coder. I tend to doubt he has the technical expertise to properly project manage his company.

The lapses in security were reportedly brought directly to his attention on multiple occasions, including once by me. He was made aware that his team wasn't doing their job and does not appear to have reacted appropriately.

As an industry, we need to make it clear that ignorance is not an excuse for such poor security practices. If you are being repeatedly informed that there are security issues, and you proceed to cut off communication once you're told that, you're no longer acting in good faith.
 
Last edited:
26
•••
In fairness, not referring to the extra step that requires the registrar to register a searched domain in order for it to be front running, but referring to when you search for a domain at Godaddy, add to cart, a few days/weeks/months later, it's not uncommon to receive an email from Godaddy or asking if I'd like to continue with my purchase.

I would however challenge whomever has access to the alleged table that contains every domain that was ever added to cart at epik, to audit that table against domains currently owned by epik or an epik employee, as that evidence would be needed to prove domain front running. As is, isn't the storing items added to cart common practice, or is that limited to Ebay/Godaddy?

Here is what Rob told me about front running:

"The practice is called front-running. Registrars should not allow it. I am not sure why some registrars allow their staff to run a tail on customer domain search activity but I am sure that it happens. There are too many anecdotal stories of it happening.

Anyway, at Epik, I am sure this does not happen. ...."

https://www.namepros.com/threads/ho...rar-and-their-employees.1123993/#post-7111599
 
3
•••
As per one of twits:

There are entries in the LOGS tables that contain security questions and answers in plain-text, attached to each transaction the user made with Epik.

(Screenshot attached: city born, school name etc.)

I tried to find this section inside my epik account (an old dormant account with no domains, if that matters). Cannot find it anywhere. Yeah, I can change password and/or setup or change 2FA - thats all. No security questions section. Where is it this section located? Can anybody confirm please?

Absolutely no excuse for that, if true. This data could easily be used when it comes to social engineering.

This is what happens when marketing meets reality.

This is not an issue about "haters". It is an issue with a company failing to do the bare minimum to secure their customer's data properly.

Brad
 
Last edited:
7
•••
2
•••
I can't confirm.
Probably, outdated leak.
OK. In any case, it makes sense to update all security questions in all other places, both domain-related and not. As well as emails and passwords. Since it would not harm anyway, we should probably thank Epik for forcing us to make our external accounts more secure.
 
1
•••
I can't confirm.
Probably, outdated leak.

The new sign on switched to federatedidentity some time ago. I don't recall having to input security questions/answers at that point.

When I set up my epik account, I don't recall (not saying I didn't enter it, just saying I don' recall) entering security questions/passwords. An outdated leak seems likely to me.

Still, if confirmed, losing security questions/answers (even if limited to a small subset of customers) could be a major security concern to anyone effected.
 
Last edited:
5
•••
Some of the more recent cases of front running (since it became an issue) may be down to domainers using software that queries the nameservers to see if a domain name is registered rather than querying the WHOIS server. The nameservers query is not necessarily proof that a domain name is not registered because each TLD has a number of domain names that have no nameservers but are registered. (The pending-delete domain names would be the best example.)

Regards...jmcc
 
Last edited:
5
•••
Actually, I am _almost_ sure that I was never asked to enter security questions / answers on Epik. I'm trying to use random questions and answers anyway, but I see no references to epik questions-answers in my "passwords collection"...
 
6
•••
I would however challenge whomever has access to the alleged table that contains every domain that was ever added to cart
Someone posted a list of TLD extensions and domain name counts on Twitter. The problem was that there were Digital Towns domain names in that count for some NGTs (.BOSTON) being one of them. The problem was that the the .BOSTON count was around 17K whereas the active .BOSTON count is currently around 3K6. The list may have contained current and deleted domain names. Not sure if these were domain names added to the cart or a table of domain names that had been registered via Epik. The correlation of some of the numbers quoted for Epik with numbers from reliable sources is also a problem.

Regards...jmcc
 
5
•••
Last edited:
10
•••
I have always used 2 step auth .. .. I have used 2 step on all my logins for sites that have it .. a site sending a number either email or preferably text is what I like .. Epik sends txt to my phone .. but in a hack situation .. 2 step auth doesn’t matter as far as info the hacker gets

Criminals keep up with their technology well and it seems no matter what kind of obstacles they face .. they always figure out and exploit the technology..
 
2
•••
Back