alert Epik Had A Major Breach

bmugford said:

Yeah, I agree with that. It was really the New Zealand shooting thing that put Epik on the extreme radar, at least as far as my recollection.

Their actions after that became even more problematic.

If you are just some random domain investor you might not be aware of any of this when it comes to Epik. Not everyone reads domain blogs or participates on domain forums.

Many of the highest domain counts there are just domain investors who likely are there for pricing and might not know about any of the other stuff.

Brad

Click to expand...

that has nothing to do with MY shit being stolen .. nor the other innocent people .. you can use not secure or whatever you want .. the Hacker illegally hacked Epik .. he stole all our shit .. now we have other people stealing all our shit ..

Leftists calling everyone who disagrees with them politically "nazis" or "racists" is very tiresome. Grow up.

I moved all my domains to Epik because they actually honor and support free speech.

I've been very happy with Epik, however, i am very disappointed if its true that they kept and stored all of our Credit card info including CVV unencrypted in plain text.

The Grinch said:

Leftists calling everyone who disagrees with them politically "nazis" or "racists" is very tiresome. Grow up.

I moved all my domains to Epik because they actually honor and support free speech.

I've been very happy with Epik, however, i am very disappointed if its true that they kept and stored all of our Credit card info including CVV unencrypted in plain text.

Click to expand...

Prepare to be very disappointed.

Brad

Not everyone has the technical ability or resources to determine if their data is present in the leak, and I suspect many people who were exposed in this hack appreciate the work being done by those like whoever made that spreadsheet, and Troy Hunt and the other folks we can thank for Have I Been Pwned.

If you want to assign blame, it is reasonable to blame the incredible irresponsibility and/or ineptitude at Epik that resulted in such an enormous amount of data being stored in such a poor way. It might also be reasonable to blame those responsible for exfiltrating the data, though with security and data retention practices like Epik's my only surprise is that it didn't happen sooner. But blaming researchers for reformatting or sharing their findings from widely-available data is frankly ridiculous.

As another poster aptly put it more than a few pages back:

carob said:

If someone analyses earthquake data and it helps me avoid catastrophe, I wouldn't accuse them of trying to destroy cities or targeting my home.

Click to expand...

There is certainly reasonable criticism of reporting on this particular episode, and of reporting on Epik in general—for example, I've seen frequent errors (usually in breaking news) in whether Epik is the registrar for a website or a webhost over the years. And if there are journalists who have written that, numerically, most Epik customers are far-right, then that should be criticized (and corrections submitted). But it seems bizarre to me to fault journalists who have described Epik as a popular choice among far-right groups and individuals, or as a company known to service the same when they have been deplatformed by others. It seems to me that Epik has chosen to make a name for itself and increase its profile through vociferous support of projects like Gab, and Monster's (and other Epik employees') various statements and appearances supporting right-wing individuals. As recently as two months ago they were posting on Gab about rubbing elbows with James O'Keefe, it seems. You're quite right that there are probably customers whose information is in the leak due to domains bought before 2018, and who may not have realized their previously fairly low-profile registrar might suddenly take a public turn to the right, but it seems to me that it is Epik who is responsible for earning this reputation.

Anyway, now that I've responded to the ping and said my piece to the reply I will leave you be—I am cautious of appearing to intrude on your forum uninvited, as I am not a domainer myself. You know where to find me on Twitter if there's anything I can help with, or I will respond to pings here (albeit slowly and often only several pages later, apologies). Thank you again for your active discussion here—though I certainly disagree with many of the opinions expressed, I appreciate those of you willing to provide valuable expertise and insights in a public forum where those of us without the expertise can learn from you. Best of luck and best wishes to all.

Molly White said:

Anyway, now that I've responded to the ping and said my piece to the reply I will leave you be—I am cautious of appearing to intrude on your forum uninvited, as I am not a domainer myself.

Click to expand...

Your contributions are very useful, thanks Molly.

Molly White said:

Not everyone has the technical ability or resources to determine if their data is present in the leak, and I suspect many people who were exposed in this hack appreciate the work being done by those like whoever made that spreadsheet, and Troy Hunt and the other folks we can thank for Have I Been Pwned.

If you want to assign blame, it is reasonable to blame the incredible irresponsibility and/or ineptitude at Epik that resulted in such an enormous amount of data being stored in such a poor way. It might also be reasonable to blame those responsible for exfiltrating the data, though with security and data retention practices like Epik's my only surprise is that it didn't happen sooner. But blaming researchers for reformatting or sharing their findings from widely-available data is frankly ridiculous.

As another poster aptly put it more than a few pages back:



There is certainly reasonable criticism of reporting on this particular episode, and of reporting on Epik in general—for example, I've seen frequent errors (usually in breaking news) in whether Epik is the registrar for a website or a webhost over the years. And if there are journalists who have written that, numerically, most Epik customers are far-right, then that should be criticized (and corrections submitted). But it seems bizarre to me to fault journalists who have described Epik as a popular choice among far-right groups and individuals, or as a company known to service the same when they have been deplatformed by others. It seems to me that Epik has chosen to make a name for itself and increase its profile through vociferous support of projects like Gab, and Monster's (and other Epik employees') various statements and appearances supporting right-wing individuals. As recently as two months ago they were rubbing elbows with James O'Keefe, it seems. You're quite right that there are probably customers whose information is in the leak due to domains bought before 2018, and who may not have realized their previously fairly low-profile registrar might suddenly take a public turn to the right, but it seems to me that it is Epik who is responsible for earning this reputation.

Anyway, now that I've responded to the ping and said my piece to the reply I will leave you be—I am cautious of appearing to intrude on your forum uninvited, as I am not a domainer myself. You know where to find me on Twitter if there's anything I can help with, or I will respond to pings here (albeit slowly and often only several pages later, apologies). Best of luck and best wishes to all.

Click to expand...

Why would I blame Rob Monster or Epik ??? I wouldn’t .. my Data is stolen .. Yes .. I know for sure it is .. I don’t think anything .. I know for a fact my data is stolen .. the Hacker took it upon themself to STEAL and violate thousands of innocent people .. it doesn’t make a damn if Rob left the door wide open .. the hacker is who came in illegally and stole the data .. Now .. we got more fish to fry .. why? Because the hacker put the data up on servers to be downloaded by whom ever wanted to download it .. so not only did the hacker steal the data .. it gave it to the world to have .. so now because of that .. other people are involved in being in possession of stolen data .. pertinent financial Data ..

Edited by moderator: removed antagonizing content

Best way to not have to worry about keeping data secured is just not storing it to begin with.

Edited by moderator: removed antagonizing content

.X. said:

Why would I blame Rob Monster or Epik ??? I wouldn’t .. my Data is stolen .. Yes .. I know for sure it is .. I don’t think anything .. I know for a fact my data is stolen .. the Hacker took it upon themself to STEAL and violate thousands of innocent people .. it doesn’t make a damn if Rob left the door wide open .. the hacker is who came in illegally and stole the data .. Now .. we got more fish to fry .. why? Because the hacker put the data up on servers to be downloaded by whom ever wanted to download it .. so not only did the hacker steal the data .. it gave it to the world to have .. so now because of that .. other people are involved in being in possession of stolen data .. pertinent financial Data .. so yeah ..

Click to expand...

Seriously man? Companies face attempted hacks daily.

There is a bare minimum of security measures required. It is like having a safe deposit box at a bank and them leaving the safe wide open and all the drawers open.

At some point they deserve a large percent of the blame for failing to store and secure the data properly.

Brad

Future Sensors said:

Your contributions are very useful, thanks Molly.

Click to expand...

Just to remind you all that information from this thread contesting press claims led to at least two corrections issued by the media about this story. One of them was originally clarified by Molly.

bmugford said:

Seriously man? Companies face attempted hacks daily.

There is a bare minimum of security measures required. It is like having a safe deposit at a bank and them leaving the safe wide open and all the drawers open.

At some point they deserve a large percent of the blame for failing to store and secure the data properly.

Brad

Click to expand...

If the hacker didn’t illegally shred the hell out the place .. we wouldn’t be here talking right now .. it does not matter if Rob left the doors wide open .. if I leave my door unlocked does that give you the right to trespass and open my door ?? NO .. will the police go easy on someone because they took it upon themself … on behalf of “Them” to make an illegal entry and steal everyone’s personal and financial information ?? NO .. it is a crime .. a crime has been committed big time .. stop defending the Hack ..

bmugford said:

Seriously man? Companies face attempted hacks daily.

There is a bare minimum of security measures required. It is like having a safe deposit box at a bank and them leaving the safe wide open and all the drawers open.

At some point they deserve a large percent of the blame for failing to store and secure the data properly.

Brad

Click to expand...

they deserve all the blame. There is no excuse for storing data in the way that they did, or at all.

Just got an email from them offering free fraud protection for two years:

"To help protect your identity, we are offering a complimentary 24 month membership of Experian’s® IdentityWorks"

I'll just replace the card I used with them. Not sure what I am going to do when it's time to pay them money again.

I liked them due to their support or free speech, but giving out my personal info is a little TOO FREE.

.X. said:

Why would I blame Rob Monster or Epik ??? I wouldn’t .. my Data is stolen .. Yes .. I know for sure it is .. I don’t think anything .. I know for a fact my data is stolen .. the Hacker took it upon themself to STEAL and violate thousands of innocent people .. it doesn’t make a damn if Rob left the door wide open .. the hacker is who came in illegally and stole the data .. Now .. we got more fish to fry .. why? Because the hacker put the data up on servers to be downloaded by whom ever wanted to download it .. so not only did the hacker steal the data .. it gave it to the world to have .. so now because of that .. other people are involved in being in possession of stolen data .. pertinent financial Data .. so yeah ..

Click to expand...

You're not helping here... Epik is at fault for the terrible security and strangely leaving a backup on a server. That's just a fact.

But the researchers are at fault for giving people the wrong impression, and acting like all of Epik's customers are extremists.

But your posts aren't helping.

.X. said:

do you care to tell me if you are in possession of my stolen information and financials?? ..just asking ..

Click to expand...

I am not.

Start said:

You're not helping here... Epik is at fault for the terrible security and strangely leaving a backup on a server. That's just a fact.

But the researchers are at fault for giving people the wrong impression.

But your posts aren't helping.

Click to expand...

I am not helping in your opinion .. because I am not agreeing with you .. and I won’t agree with you because it wasn’t Rob Monster who has given my personal and financial data to the whole WORLD now .. it was a Hacker who stole my personal stuff .. not Rob Monster or Epik .. what about all the innocent people ??? Maybe collateral damage to you guys ??? Just asking .. because I can tell you .. being violated and victimized by a criminal .. maybe Criminals now that so many have the data in their hands is NOT Rob Monster or Epik fault ..

There are 1 or 2 things that caused it:

1. Misuse of E services or R.B. willingness to absorb contrasting views/opinions by "certain groups and individuals" vocally supporting a new AB law - including rights to sue providers or others who help person get AB.
2. /T/e/x/a/s/ G//O//P// website hosted by E

imo

I haven't used epik for a while but I have a .vc domain up for renewal soon. However I am not able to pay for it. I get "Credit card error. This transaction has been declined by the payment processor, not by Epik.". Is that related to the breach, are they now banned not only by paypal, but also other cc processors? The card is good and the balance is sufficient, I am using it daily.

@pb
Probably, this processor uses some blacklist of cards, including recent Epik's leak.
One more reason: why all these cards must be replaced.

@Molly White

Molly White said:

Not everyone has the technical ability or resources to determine if their data is present in the leak.

Click to expand...

There's a difference between telling people what data is in the leak, versus actually putting it into a spreadsheet and publicizing it. If you want to help people, don't pour more gasoline on the fire.

It reminds me of when paparazzi found out that a celebrity was holidaying at a secluded retreat area. So they used telescopic camera lenses to take photos from a mile away, and then published the photos. Yeah, okay, it was technically "in public", but the courts rightly decided that it was still an invasion of privacy.

Likewise, it's one thing for data to be difficult to access, even if it's out there. But it's another to format it and publicize it.

As I said, vigilante computer programmers aren't suited to make these decisions. They should work with social scientists like Ronald Deibert to decide on those issues.
https://en.wikipedia.org/wiki/Ronald_Deibert

Molly White said:

I suspect many people who were exposed in this hack appreciate the work being done by those like whoever made that spreadsheet.

Click to expand...

How does that spreadsheet help!? It doesn't. We already know that Epik got hacked. Epik emailed everyone (and I'm sure many people Googled for more info) and forced password changes.

And the "haveibeenpwned" guy apparently emailed everyone too. And this has been reported in mainstream media. Escrow.com even looked at the data and emailed any customers too.

And no, I don't think people appreciate that your fellow "researchers" are wrongly telling people that most Epik customers are far-right, and then publicizing a list of all Epik customers.

Molly White said:

But blaming researchers for reformatting or sharing their findings from widely-available data is frankly ridiculous.

Click to expand...

No, the "researchers" do deserve a lot of blame, for spreading the wrong impression! They are talking about this like most Epik customers are basically neo-nazis.

That simply is not true. I already told you that in detail.

And it's not fully about journalists, the "researchers" are the ones who are giving the wrong impression, and most journalists have multiple deadlines per day and don't know much about these issues, so they end up parroting what the main tweeters are saying, and what Wikipedia says.

Molly White said:

And if there are journalists who have written that, numerically, most Epik customers are far-right, then that should be criticized (and corrections submitted). But it seems bizarre to me to fault journalists who have described Epik as a popular choice among far-right groups and individuals, or as a company known to service the same when they have been deplatformed by others.

Click to expand...

What they need to do is clarify that most Epik customers are just regular people, and the far-right ones are a tiny minority.

Writing that "Epik as a popular choice among far-right groups" is technically true, but like with the article I cited, it gives people the impression that most Epik customers are of that nature.

If criminals start using Louisville Slugger baseball bats as their top choice for crimes when using a bat, that's still a tiny fraction compared to people who use them for baseball.

In this case, the CEO foolishly tried to attract them, but it doesn't change the fact that most customers are just regular people, and signed-up when Epik was just another registrar.

Molly White said:

As recently as two months ago they were rubbing elbows with James O'Keefe, it seems. You're quite right that there are probably customers whose information is in the leak due to domains bought before 2018, and who may not have realized their previously fairly low-profile registrar might suddenly take a public turn to the right, but it seems to me that it is Epik who is responsible for earning this reputation.

Click to expand...

I had to Google who James O'Keefe even is, and I read the news more than most people. That exemplifies my point even more, because most Epik customers wouldn't know what Epik and some staff were doing. They simply renew their domains.


And regarding this:

"You're quite right that there are probably customers whose information is in the leak due to domains bought before 2018"

...that's showing part of the issue right there. Statements like "probably", or "yeah, some Epik customer aren't far-right" (by a main epikfail tweeter) are what's causing the problem.

Why are you weakening the statement by saying "probably". It's an inevitable fact, and I know it's true, because I checked a few past domain sales, and some of those customers are still at Epik. And they're just regular people who signed-up with Epik because I said it would be easy to do the domain sale there.

Also, checking dates, I see that Epik didn't become controversial until November 2018, so even customers in mid-2018 many signed-up thinking Epik was just another registrar (and most very likely don't even know who Rob is, or what Epik got involved with).

Nov 2018 wasn't that long ago, especially considering how long Epik has been around. A lot of people even renew domains for a few years at a time, and possibly haven't even logged in to Epik in the past 3+ years.

iirc, you control the Wikipedia page for Epik. It would help (especially since journalists probably look at Wikipedia for basic info) if you mention that Epik didn't become controversial until Nov 2018, and many customers signed-up before then. That's simply a fact, and deserves to be mentioned.


Here are the bottom lines:

1) "Researchers", journalists, and others need to realize that the vast majority of Epik's customers are just regular people.

2) There's no need to doxx thousands of innocent people by publicizing the customer list. Just because you have the technical ability to do something doesn't mean you should.

3) "Researchers" should partner with actual social scientists like Ronald Deibert (or others like him, who have actual training in this area) to properly assess what information should be publicized.

4) I just took at look at your Twitter page, and I see new tweets where you're citing a couple of crackpot posts, as if they're reflective of NamePros. That's intellectually dishonest of you. I argued my points in a civil and logical way, and instead you're focusing on low quality posts, and also knowingly giving the wrong impression to people on Twitter regarding the rationale for why they need to be more careful about information disclosure. Please do better.

Molly White said:

If you would like me to explain fair use to you, I can, but I suspect you know. Anyway, I will make good on my previous promise to take my leave, not least because I need to finish cooking dinner. You know where to find me (for discussion or copyright lawsuit purposes, apparently...)

Click to expand...

Before you leave. Some people here are very vocal, but their opinions are not necessarily the opinions of all users on this forum, quite the contrary. Most users just want to deal with domain names. I hope you can see through that a little bit. Enjoy your meal, and I personally think you should stay.

Guys, start another thread:
Epik Had A Major Breach - Part 2 (Holy War)

Thanks.

@Paul

Jurgen Wolf said:

@pb
Probably, this processor uses some blacklist of cards, including recent Epik's leak.
One more reason: why all these cards must be replaced.

Click to expand...

Yes, or we might have some processors who are not happy with Epik's violation of PCI compliance. For now all we can do is speculate.

Brad

Future Sensors said:

@DAN.COM
@Sedo
@Joe Styler

Your Escrow accounts at Epik may be compromised.

Click to expand...

We are good thanks.

Joe Styler said:

We are good thanks.

Click to expand...

How do you know? Did your escrow account at Epik have another, special status?

Details of your account were leaked.

I am sure he salted all the md5 hashes… Definitely did not keep your cvv numbers. Your PCI DSS info could not have possibly been compromised because that would be a huge compliance issue.

Evil.dll said:

I am sure he salted all the md5 hashes… Definitely did not keep your cvv numbers. Your PCI DSS info could not have possibly been compromised because that would be a huge compliance issue.

Click to expand...

It has been reported all over the place from Twitter, to domain blogs, to mainstream websites that CVV codes were included.

Brad