alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[bmugford]

I don't know about you guys but personally I find it highly insulting to their customers that their response to the breach(es) was deleted, they're attempting to memory hole it, they haven't made any statements on the second and third MSM-reported releases, which included their core infrastructure and Gitlab server containing all of their source code repositories, the knock-on effect it's had directly on their customers, also in a high-profile fashion, the list goes on.

Yep, I would still love to hear an explanation for this. Why was the tweet deleted?

First tweet deleted...nothing on the 2nd and 3rd leaks.

Who needs to keep customers (and the millions of others who had data leaked in this breach) updated?

It seems like at this point their response is basically just going to be ignore and radio silence. Their problem is this is not going away. They are not going to be able to memory hole it.

At some point they are going to be forced to take responsibility for their security issues, like it or not.

The situation keeps going from worse to worse.

Brad

 

[Future Sensors]

They've also deleted their prior tweet that informed their customers of the hack (archived).

Also. Although the tweet has been deleted by Epik, the original image is still present on Twitter, on the following location: https://pbs.twimg.com/media/E_htb3PWEAUyuEd.jpg

 

[Derek Peterson]

If you are sincerely concerned about Epik users then maybe you could create a document that explains all the hack in easy to understand terms so Epik customers and lawyers can understand the full extend of what has happened and is still happening.

I know the attorneys handling the class action case have a very poor understanding of the hack thus far because I spent an hour on the phone with them yesterday explaining as best I could, which isn't very good.

 

[Derek Peterson]

I don't know about you guys but personally I find it highly insulting to their customers that their response to the breach(es) was deleted, they're attempting to memory hole it, they haven't made any statements on the second and third MSM-reported releases, which included their core infrastructure and Gitlab server containing all of their source code repositories, the knock-on effect it's had directly on their customers, also in a high-profile fashion, the list goes on.

The Legion isn't something to be trifled with and Rob is pressing his luck here. This is not a threat, this is simply helpful advice from a representative.

Perhaps, it would be good if you all could create an easy to understand document that explains in detail the extent of the hack so it could be shared far and wide and then perhaps Monster would be forced to deal with it. I don't think most people really understand the hack fully, myself included, and Monster is going to use that to brush off the whole thing and carry on as normal and continue hurting people, like Gab did.

I spent an hour of the phone yesterday with the attorneys handling the class action case. Right now they are just focused on credit card data from California residents, they want to expand but they don't have enough of an understanding of the hack.

 

[tonyk2000]

In "Update and Options for Affected Epik Users" email dated 09/20, Epik stated:

At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward.

2+ weeks and no more news. So, did Epik "secure access" to other services (not domain-side ones)? As per "epik labs", they offer a lot of different services. Yes or no? What should customers think without extra updates? Not all customers are forum members or twitter readers...

 

[Jurgen Wolf]

All smart customers are already away from Epik and forgot it.

 

[bmugford]

In "Update and Options for Affected Epik Users" email dated 09/20, Epik stated:

At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward.

2+ weeks and no more news. So, did Epik "secure access" to other services (not domain-side ones)? As per "epik labs", they offer a lot of different services. Yes or no? What should customers think without extra updates? Not all customers are forum members or twitter readers...

Rest assured, while we don't have any real information on the data breach itself, we do have several contacts between Rob and Paul about his unhappiness with people discussing the data breach and other information here.

It really hurts the narrative of just ignoring it and hoping it goes away.

I also think you are forgetting the data was cursed, so that should take care of itself!!!

Brad

 

[tonyk2000]

All smart customers are already away from Epik and forgot it.

As a matter of fact, some customers do perform transfer-ins, probably enjoying .com $6.99 transfer promo. I saw domains arrived _to_ epik registrar after the breach... and also recently. Epik still has ICANN accreditation, and even the "staff members" list here @ NP is quite an extensive (nobody was fired it seems). Should they be able to remain ICANN-accredited, and with operational merchant account to accept credit cards - then they will not disappear... and the radio silence probably means exactly this - let the issue be forgotten, business as usual.

 

[Jurgen Wolf]

People still recall even NetSol adventures in 90s...
Such events are unforgotten.

 

[bmugford]

Epik still has ICANN accreditation, and even the "staff members" list here @ NP is quite an extensive (nobody was fired it seems). Should they be able to remain ICANN-accredited, and with operational merchant account to accept credit cards - then they will not disappear... and the radio silence probably means exactly this - let the issue be forgotten, business as usual.

We will see about that. These are both open questions.

As an ICANN accredited registrar, Epik has certain contractual obligations under the RAA which they need to follow regarding this data breach. I sure hope they are doing that.

Also, we will see if after their reported PCI compliance violations with credit card storage, how many CC companies are still willing to work with them.

I don't think even the biggest Epik fan could deny they have done a piss-poor job of keeping customers, and other parties effected by this breach, updated in any meaningful way.

Brad

 

[Evil.dll]

Perhaps, it would be good if you all could create an easy to understand document that explains in detail the extent of the hack so it could be shared far and wide and then perhaps Monster would be forced to deal with it. I don't think most people really understand the hack fully, myself included, and Monster is going to use that to brush off the whole thing and carry on as normal and continue hurting people, like Gab did.

I spent an hour of the phone yesterday with the attorneys handling the class action case. Right now they are just focused on credit card data from California residents, they want to expand but they don't have enough of an understanding of the hack.

Attorneys make great money. You have started two companies, I am sure that you do OK for yourself, and please don’t take this the wrong way, but for some of us, this is our job. Most of the people offering you credible information on this hack are professionals, way more professional than me, I literally Rick Rolled you guys when I first came here because everyone is focused on their own narrative, and that’s cool, but my narrative is if you don’t understand something, educate yourself on it, If you don’t want to educate yourself on it then pay someone competent to explain it to you. If you want to understand the hack, what part of the hack do you not understand? Imagine the worse case scenario and then kick that in the nuts with a steel toed boot, and while it is writhing in the pain of it’s own arrogance steal it’s wallet and pepper spray it’s crack. It is a virtual disk image of the company, that is all you really need to know. Bottom line is consumers have a right to understand how companies use and store their data, Data Owners have a responsibility to use and store that data responsibly. This is my opinion. Take it with a grain of salt or choose not to salt.. up to you

 

[bmugford]

Attorneys make great money. You have started two companies, I am sure that you do OK for yourself, and please don’t take this the wrong way, but for some of us, this is our job. Most of the people offering you credible information on this hack are professionals, way more professional than me, I literally Rick Rolled you guys when I first came here because everyone is focused on their own narrative, and that’s cool, but my narrative is if you don’t understand something, educate yourself on it, If you don’t want to educate yourself on it then pay someone competent to explain it to you. If you want to understand the hack, what part of the hack do you not understand? Imagine the worse case scenario and then kick that in the nuts with a steel toed boot, and while it is writhing in the pain of it’s own arrogance steal it’s wallet and pepper spray it’s crack. It is a virtual disk image of the company, that is all you really need to know. Bottom line is consumers have a right to understand how companies use and store their data, Data Owners have a responsibility to use and store that data responsibly. This is my opinion. Take it with a grain of salt or choose not to salt.. up to you

I agree. Point the lawyers to this thread.

It includes a ton of useful (and some not so useful) information. If the lawyers wants to earn their money they are free to read through the thread, parse, and organize the information.

Brad

 

[johnn]

Why people keep mixing up between Rob as a person and Epik as a Company.
Rob did work with me on an Escrow for a high end transaction 2 years ago and it was a smooth transaction but we are talking about Epik as a Company which messed people life up because either they don't know how to secure customer data or they just want to save a nickel here and there.
Pricing is not everything and when it comes to business I don't care about his personality. All I know is Epik messed up with the customer data, did not comply with Visa/Mastercard company and the last thing is:

HE IS NO WHERE TO BE FOUND after the Incident compare to he went to every single threads before and Spamming by inserting Epik links in every thread.
This thread is not about Rating Rob Monster but the hacking incident from Epik so please stop defending Rob Monster!!!

 

[tonyk2000]

HE IS NO WHERE TO BE FOUND

Rob Monster was last seen: Engaged in conversation, Today at

So, Rob is well and alive, and responds to DMs.

 

[bmugford]

From the ICANN Registrar Accreditation Agreement.

https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

3.20 Notice of Bankruptcy, Convictions and Security Breaches. Registrar will give ICANN notice within seven (7) days of (i) the commencement of any of the proceedings referenced in Section 5.5.8. (ii) the occurrence of any of the matters specified in Section 5.5.2 or Section 5.5.3 or (iii) any unauthorized access to or disclosure of registrant account information or registration data. The notice required pursuant to Subsection (iii) shall include a detailed description of the type of unauthorized access, how it occurred, the number of registrants affected, and any action taken by Registrar in response.

 

[jmcc]

From the ICANN Registrar Accreditation Agreement.

https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

3.20 Notice of Bankruptcy, Convictions and Security Breaches. Registrar will give ICANN notice within seven (7) days of (i) the commencement of any of the proceedings referenced in Section 5.5.8. (ii) the occurrence of any of the matters specified in Section 5.5.2 or Section 5.5.3 or (iii) any unauthorized access to or disclosure of registrant account information or registration data. The notice required pursuant to Subsection (iii) shall include a detailed description of the type of unauthorized access, how it occurred, the number of registrants affected, and any action taken by Registrar in response.

Epik has to submit a report on the breach and I'm not sure that it would be published on the usual ICANN compliance page ( https://www.icann.org/compliance/notices ). It may have already submitted a report. As long as ICANN is happy with the measures taken to remedy the problem, there may be no further action and Epik may retain its accreditation.

Regards...jmcc

 

[tonyk2000]

Also, we will see if after their reported PCI compliance violations with credit card storage, how many CC companies are still willing to work with them.

Probably one the largest things Epik should pay attention to. If you have an ICANN accreditation, but no merchant account - how you'll operate? And, it is a complex process. Afaik, not only each system (Visa, MC, Amex etc.) should explicitly approve the merchant (including the website, it is all reviewed), but also there should be at least 1 bank willing to accept the merchant and its transactions for credit card processing.
Enthusiasts from twitter were planning to submit complaints to all related and unrelated institutions, so....

 

[Derek Peterson]

I agree. Point the lawyers to this thread.

It includes a ton of useful (and some not so useful) information. If the lawyers wants to earn their money they are free to read through the thread, parse, and organize the information.

Brad

Of course I gave lawyers link to this thread.

 

[Derek Peterson]

Probably one the largest things Epik should pay attention to. If you have an ICANN accreditation, but no merchant account - how you'll operate? And, it is a complex process. Afaik, not only each system (Visa, MC, Amex etc.) should explicitly approve the merchant (including the website, it is all reviewed), but also there should be at least 1 bank willing to accept the merchant and its transactions for credit card processing.
Enthusiasts from twitter were planning to submit complaints to all related and unrelated institutions, so....

As far as I have heard there have been no fake charges since the hack so no processors is going to cancel them. It is just "rumor" that credit cards were leaked.

 

[bmugford]

Epik has to submit a report on the breach and I'm not sure that it would be published on the usual ICANN compliance page ( https://www.icann.org/compliance/notices ). It may have already submitted a report. As long as ICANN is happy with the measures taken to remedy the problem, there may be no further action and Epik may retain its accreditation.

Regards...jmcc

Well, there is really no ambiguity in that clause. It clearly says "shall" provide it within 7 days, not might, could, etc. Shall is compulsory language.

So if ICANN does not have the report yet, they are clearly in violation of that contractual clause.

I would expect for ICANN to take a potential breach of their contract seriously, especially when it comes to this level of data breach. Hopefully for Epik's sake, they have submitted that report as contractually required.

Brad

 

[Derek Peterson]

Attorneys make great money. You have started two companies, I am sure that you do OK for yourself, and please don’t take this the wrong way, but for some of us, this is our job. Most of the people offering you credible information on this hack are professionals, way more professional than me, I literally Rick Rolled you guys when I first came here because everyone is focused on their own narrative, and that’s cool, but my narrative is if you don’t understand something, educate yourself on it, If you don’t want to educate yourself on it then pay someone competent to explain it to you. If you want to understand the hack, what part of the hack do you not understand? Imagine the worse case scenario and then kick that in the nuts with a steel toed boot, and while it is writhing in the pain of it’s own arrogance steal it’s wallet and pepper spray it’s crack. It is a virtual disk image of the company, that is all you really need to know. Bottom line is consumers have a right to understand how companies use and store their data, Data Owners have a responsibility to use and store that data responsibly. This is my opinion. Take it with a grain of salt or choose not to salt.. up to you

Attorneys want to make great money so if they have no understanding of a case or what is true or not true they will not waste their time. Some rando anon on a fourm saying they got EVERYTHING is not going to get them to motivated to make great money. A nice document with examples and PROOF will.

 

[bmugford]

Attorneys want to make great money so if they have no understanding of a case or what is true or not true they will not waste their time. Some rando anon on a fourm saying they got EVERYTHING is not going to get them to motivated to make great money. A nice document with examples and PROOF will.

Yep, and there is more than enough information in this thread to curate quite a nice timeline of events from when Epik acquired the "shitty code", to when they were warned about security issues, until where we sit today.

They are going to have to do the legwork though.

Brad

 

[Derek Peterson]

Yep, and there is more than enough information in this thread to curate quite a nice timeline of events from when Rob and Epik were warned about security issues until where we sit today.

They are going to have to do the legwork though.

Brad

Timeline is different than the technical aspects of the breach. They are lawyers not developers.

 

[bmugford]

Timeline is different than the technical aspects of the breach. They are lawyers not developers.

There are plenty of security/IT experts quoted in this thread. Lawyers could easily reach out to those parties for clarity or more information.

Brad

 

[Future Sensors]

Timeline is different than the technical aspects of the breach. They are lawyers not developers.

The firm has expertise in this field, as stated on their website. Trust me, they have people who can interpret the technical side of this.