alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Derek Peterson]

Attorneys make great money. You have started two companies, I am sure that you do OK for yourself, and please don’t take this the wrong way, but for some of us, this is our job. Most of the people offering you credible information on this hack are professionals, way more professional than me, I literally Rick Rolled you guys when I first came here because everyone is focused on their own narrative, and that’s cool, but my narrative is if you don’t understand something, educate yourself on it, If you don’t want to educate yourself on it then pay someone competent to explain it to you. If you want to understand the hack, what part of the hack do you not understand? Imagine the worse case scenario and then kick that in the nuts with a steel toed boot, and while it is writhing in the pain of it’s own arrogance steal it’s wallet and pepper spray it’s crack. It is a virtual disk image of the company, that is all you really need to know. Bottom line is consumers have a right to understand how companies use and store their data, Data Owners have a responsibility to use and store that data responsibly. This is my opinion. Take it with a grain of salt or choose not to salt.. up to you

Attorneys want to make great money so if they have no understanding of a case or what is true or not true they will not waste their time. Some rando anon on a fourm saying they got EVERYTHING is not going to get them to motivated to make great money. A nice document with examples and PROOF will.

 

[bmugford]

Attorneys want to make great money so if they have no understanding of a case or what is true or not true they will not waste their time. Some rando anon on a fourm saying they got EVERYTHING is not going to get them to motivated to make great money. A nice document with examples and PROOF will.

Yep, and there is more than enough information in this thread to curate quite a nice timeline of events from when Epik acquired the "shitty code", to when they were warned about security issues, until where we sit today.

They are going to have to do the legwork though.

Brad

 

[Derek Peterson]

Yep, and there is more than enough information in this thread to curate quite a nice timeline of events from when Rob and Epik were warned about security issues until where we sit today.

They are going to have to do the legwork though.

Brad

Timeline is different than the technical aspects of the breach. They are lawyers not developers.

 

[bmugford]

Timeline is different than the technical aspects of the breach. They are lawyers not developers.

There are plenty of security/IT experts quoted in this thread. Lawyers could easily reach out to those parties for clarity or more information.

Brad

 

[Future Sensors]

Timeline is different than the technical aspects of the breach. They are lawyers not developers.

The firm has expertise in this field, as stated on their website. Trust me, they have people who can interpret the technical side of this.

 

[jmcc]

Well, there is really no ambiguity in that clause. It clearly says "shall" provide it within 7 days, not might, could, etc. Shall is compulsory language.

So if ICANN does not have the report yet, they are clearly in violation of that contractual clause.

I would expect for ICANN to take a potential breach of their contract seriously, especially when it comes to this level of data breach. Hopefully for Epik's sake, they have submitted that report as contractually required.

Brad

It should. But there is no requirement that I can remember that says that it has to publish the correspondence (report). Normally it publishes contract breach notifications and termination notices. If Epik is in breach of its contract with ICANN there may be some published correspondence about it. There are steps before a registrar's accreditation is terminated and these things can move relatively slowly.

Regards...jmcc

 

[Derek Peterson]

There are plenty of security/IT experts quoted in this thread. Lawyers could easily reach out to those parties for clarity or more information.

Brad

Never mind.

 

[bmugford]

Never mind.

My issue really is a legal firm needs to put in the work if they want to make money off it.

All the information is out there. This thread has consolidated a lot of valuable information from Twitter as well.

It is hard to have a better starting point.

If this law firm is not willing to put in the work, they might not be the right one to handle it.

Brad

 

[Derek Peterson]

The firm has expertise in this field, as stated on their website. Trust me, they have people who can interpret the technical side of this.

No. Currently the "hackers" have published nothing official. Just a bunch of randos posting "owning" gloats and making claims.

 

[dirk]

No. Currently the "hackers" have published nothing official. Just a bunch of randos posting "owning" gloats and making claims.

The leaked data is widely available so not hard to confirm any made claims as you know exactly what and where to look for in the dataset.

 

[Kirtaner]

No. Currently the "hackers" have published nothing official. Just a bunch of randos posting "owning" gloats and making claims.

Typically with breaches like this it is up to the media and InfoSec analysts to pour over the details and publish them; hackers' narrative can be coloured. The job was left to those who can give this unbiased and disconnected perspective, obviously, which is the correct decision here.

 

[Future Sensors]

All the information is out there. This thread has consolidated a lot of valuable information from Twitter as well.

My guess is that this data breach case is going to be part of university classes. It will be researched thoroughly at all levels. From engineering to legal, from marketing to management studies. Publications will follow along the road, such as https://journals.sagepub.com/doi/full/10.1177/14614448211045662

 

[bmugford]

It should. But there is no requirement that I can remember that says that it has to publish the correspondence (report). Normally it publishes contract breach notifications and termination notices. If Epik is in breach of its contract with ICANN there may be somple published correspondence about it. There are steps before a registrar's accreditation is terminated and these things can move relatively slowly.

Regards...jmcc

One interesting thing about that is ICANN is still based in US, headquartered in California and subject to California courts.

California Attorney General Xavier Becerra stepped in over the .ORG deal with ICANN, which lead to a delay then played a major role in the rejection of the deal.

It would be interesting if during an investigation or lawsuit, ICANN's records about this were subpoenaed.

Brad

 

[Derek Peterson]

Typically with breaches like this it is up to the media and InfoSec analysts to pour over the details and publish them; hackers' narrative can be coloured. The job was left to those who can give this unbiased and disconnected perspective, obviously, which is the correct decision here.

Hopefully that will happen in the future, I guess it is still early, but until it does I doubt any lawyer, ICAAN or and credit card processor will take any action and Epik will surely try their best to ignore, deny and carry on.

 

[mr-x]

From the ICANN Registrar Accreditation Agreement.

https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en

3.20 Notice of Bankruptcy, Convictions and Security Breaches. Registrar will give ICANN notice within seven (7) days of (i) the commencement of any of the proceedings referenced in Section 5.5.8. (ii) the occurrence of any of the matters specified in Section 5.5.2 or Section 5.5.3 or (iii) any unauthorized access to or disclosure of registrant account information or registration data. The notice required pursuant to Subsection (iii) shall include a detailed description of the type of unauthorized access, how it occurred, the number of registrants affected, and any action taken by Registrar in response.

Do you have any idea if this agreement was fulfilled or ignored?

 

[bmugford]

Do you have any idea if this agreement was fulfilled or ignored?

I have no idea. Epik has provided no real update in weeks, and the first update they did provide has since been deleted from Twitter.

Brad

 

[Derek Peterson]

Epik will build back better.

Hard to be worse.

 

[tonyk2000]

The leaked data is widely available so not hard to confirm any made claims as you know exactly what and where to look for in the dataset.

It all depends on the lawyer(s) and their financial motivation imo. Will lawyers download all the torrents? What their next step would be? Are they aware what a torrent file is, or what to do with a disk image (2nd and 3rd leaks)? Not too likely. I'd guess that, from practical point of view, they will just check what Epik itself submitted to relevant authorities (breach notices), calculate potential $$$ income for the law firm, and act accordingly.

 

[mr-x]

I have no idea. Epik has provided no real update in weeks, and the first update they did provide has since been deleted from Twitter.

Brad

But there has been national coverage. We don't know if they are working with ICANN but that is most likely.

I can't help notice people keep bringing the same subject over and over. It's not like it's in epik's best interest to reveal what is happening. I would think law enforcement would tell them not to.

 

[jmcc]

One interesting thing about that is ICANN is still based in US, headquartered in California and subject to California courts.

California Attorney General Xavier Becerra stepped in over the .ORG deal with ICANN, which lead to a delay then played a major role in the rejection of the deal.

That intervention killed the sale.

It would be interesting if during an investigation or lawsuit, ICANN's records about this were subpoenaed.

It would be interesting if it was possible. It is a legal question though and there are multiple jurisdictions involved.

Regards...jmcc