alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[mr-x]

Well, you should probably know by now, after reading this thread, that there are strict regulations for collecting, storing, processing, and handling PII data. Furthermore, it's still unanswered where all the sensitive data of US and EU citizens was stored. Epik uses servers and offshore developers in the US, UK and Russia/Crimea.

Although the following comprehensive overview has been drafted especially for the financial services industry, it is a good reference for Epik and other registrars, as well. Btw, Epik offered financial services too, don't you agree?

https://www.upguard.com/blog/cybersecurity-regulations-financial-industry

There are strict regulations about breaking into computer networks, stealing IP, sabotage and blackmail.

I don't know how many times you can say the same thing in a different way but you continue to impress me.

 

[Future Sensors]

There are strict regulations about breaking into computer networks, stealing IP, sabotage and blackmail.

I don't know how many times you can say the same thing in a different way but you continue to impress me.

What you're doing here is too easy. One does not exclude the other. My posting (and this whole thread) is about the data breach and the way Epik had not arranged security for its customers properly. For the sake of completeness, you can check that I've also written about those who leaked and what I think about that. Investigations are currently taking place visibly on Twitter into the company structure of Epik and its clients, which I have also written about. Other investigations related to this document are also taking place by US gov. I think you're looking at it very one-sided and not yet seeing the bigger picture.

 

[DN Playbook]

I think you're looking at it very one-sided and not yet seeing the bigger picture.

This is called whataboutism. https://en.wikipedia.org/wiki/Whataboutism

 

[Derek Peterson]

Rob's TrustRatings (https://trustratings.com) also just copied the code from the huge review company TrustPilot (https://trustpilot.com), which I mentioned on NP several years ago and got me into a huge fight with him.

By the way, Epik still gets great reviews on TrustRatings: https://trustratings.com/epik.com. Strangely, nearly all reviewers have done just that one review...

I cannot condone hacking, but there is something not right about Robert Monster. And as expected, it all came crashing down.

How did he get the code?

 

[Future Sensors]

How did he get the code?

It was developed by Epik developers.

 

[Derek Peterson]

It was developed by Epik developers.

Okay, Rob said he hired some guys to "develop" it but that means nothing coming from Rob so curious to hear embrand's take. Even if that code was somehow made public Rob would still need a dev to mod it.

 

[carob]

Your whois data wasn't private. If you can't find it for free, you can buy it.

It's a fair point that most WHOIS data used to be public by default, though not for some country codes, though even then many used WHOIS privacy services, either paid or free, to avoid publishing their particulars. And a lot of historic WHOIS data can be bought from Domaintools.com - when they started offering that in the late 2000s many complained, and for some in the know that was the time to start using WHOIS privacy.

It seems most registrars in publishing WHOIS data say it may not be scraped or repurposed, though I doubt they have any power to enforce it.

But under GDPR you have to have a reason to collect PII (Personally Idenitifiable Information), collect only the data you need, and keep it only as long as you have an identifiable need for it. Data has to have a defined shelf life.

Under GDPR ,EU citizens and residents have a right to request the data that a data controller holds on them, and to request its amendment or deletion. So Epik and Domaintools could face emails and requests from 400+ million people about the data they hold, or might hold. GDPR does apply to Epik and USA companies, as documented earlier in this thread.

Perhaps someone here can comment on the new California data protection laws, which I think are similar to GDPR in many ways.

 

[BrunoWillis]

My experience with Epik in the last months has been nothing but terrible.

1. All my phone numbers, emails, domains, addresses, transactions, and old passport data were included in the torrent file and the data breach. Since that time I receive all the time fishing emails and fishing sms.

2. I updated all my passwords and 2FA codes after this breach. But at the same time, they obviously changed their login page from epik com to federatedidentity com. And somehow I have only the 2FA codes for logging in via epik com now but not the federatedidentity com 2FA. Obviously I made the mistake to think that these codes are the same or that you can still log in via epik com with the old 2FA which I generated there. And at the same time, it seems that Epik completely removed the old login page. Before you were able to decide.

3. I contacted support and explained my problem. They mention an account PIN that was not even created by me. Of course I don't know such a PIN which is stored somewhere in my profile obviously without notice. So I try to find a way back into my account. I mention that I can still use my phone number for their sms login or the old epik com login 2FA.

4. They demand that I upload my new passport. I tell them that I won't upload any such documents anymore after the fact that they are responsible for the situation that all my sensitive data is published online. Instead, I offer them to share the document with them in a Dropbox link for one-time view and tell them that I don't give them permission to store any of my identity documents permanently.

5. And what do they do? They tell me that they don't give me access to my account. This company has become completely ridiculous. No SORRY nothing about the shit they have done. I won't upload anything and I don't give you permission to store any identity documents and if you do so, then I will take legal actions. Basta!

Thank you for this mess Epik. First allowing hackers to easily decrypt all data by employing wannabe security specialists who don't know what encryption algorithms aren't secure anymore in 2021. And then for the fantastic communication and having two different logins, and then removing one login etc. That's completely crazy.

 

[DN Playbook]

My experience with Epik in the last months has been nothing but terrible.

1. All my phone numbers, emails, domains, addresses, transactions, and old passport data were included in the torrent file and the data breach. Since that time I receive all the time fishing emails and fishing sms.

2. I updated all my passwords and 2FA codes after this breach. But at the same time, they obviously changed their login page from epik com to federatedidentity com. And somehow I have only the 2FA codes for logging in via epik com now but not the federatedidentity com 2FA. Obviously I made the mistake to think that these codes are the same or that you can still log in via epik com with the old 2FA which I generated there. And at the same time, it seems that Epik completely removed the old login page. Before you were able to decide.

3. I contacted support and explained my problem. They mention an account PIN that was not even created by me. Of course I don't know such a PIN which is stored somewhere in my profile obviously without notice. So I try to find a way back into my account. I mention that I can still use my phone number for their sms login or the old epik com login 2FA.

4. They demand that I upload my new passport. I tell them that I won't upload any such documents anymore after the fact that they are responsible for the situation that all my sensitive data is published online. Instead, I offer them to share the document with them in a Dropbox link for one-time view and tell them that I don't give them permission to store any of my identity documents permanently.

5. And what do they do? They tell me that they don't give me access to my account. This company has become completely ridiculous. No SORRY nothing about the shit they have done. I won't upload anything and I don't give you permission to store any identity documents and if you do so, then I will take legal actions. Basta!

Thank you for this mess Epik. First allowing hackers to easily decrypt all data by employing wannabe security specialists who don't know what encryption algorithms aren't secure anymore in 2021. And then for the fantastic communication and having two different logins, and then removing one login etc. That's completely crazy.

Sorry to learn that that is happening to you. After the breach I saw an increase in spoof emails and alerts from other sites that my login may have been compromised. And I only had an account but did not conduct any business.

 

[DN Playbook]

Your whois data wasn't private. If you can't find it for free, you can buy it.

It was public on a trust basis. Now registrars are better at protecting whois info. A Terms of Use appears in the whois results that includes, among other things, a statement to the effect that collection of the data or dissemination of the data is prohibited.

If any registrar is scraping whois info or buys whois data from another source, that is shady behavior, IMO. That is was spammers do. Why would a registrar need that data?

 

[mr-x]

It was public on a trust basis. Now registrars are better at protecting whois info. A Terms of Use appears in the whois results that includes, among other things, a statement to the effect that collection of the data or dissemination of the data is prohibited.

If any registrar is scraping whois info or buys whois data from another source, that is shady behavior, IMO. That is was spammers do. Why would a registrar need that data?

Whois data is public. You can choose to hide your information but it is still public data and can be found free or purchased.

 

[bmugford]

There are strict regulations about breaking into computer networks, stealing IP, sabotage and blackmail.

I don't know how many times you can say the same thing in a different way but you continue to impress me.

There are also strict regulations when it comes to storing and protecting customer's data - from PCI compliance to GDPR, and more.

Brad

 

[mr-x]

It's a fair point that most WHOIS data used to be public by default, though not for some country codes, though even then many used WHOIS privacy services, either paid or free, to avoid publishing their particulars. And a lot of historic WHOIS data can be bought from Domaintools.com - when they started offering that in the late 2000s many complained, and for some in the know that was the time to start using WHOIS privacy.

It seems most registrars in publishing WHOIS data say it may not be scraped or repurposed, though I doubt they have any power to enforce it.

But under GDPR you have to have a reason to collect PII (Personally Idenitifiable Information), collect only the data you need, and keep it only as long as you have an identifiable need for it. Data has to have a defined shelf life.

Under GDPR ,EU citizens and residents have a right to request the data that a data controller holds on them, and to request its amendment or deletion. So Epik and Domaintools could face emails and requests from 400+ million people about the data they hold, or might hold. GDPR does apply to Epik and USA companies, as documented earlier in this thread.

Perhaps someone here can comment on the new California data protection laws, which I think are similar to GDPR in many ways.

I agree but was any of the data created after GDPR? Epik is an American company. People are complaining about trivial differences that have been gone over and over.

 

[bmugford]

My experience with Epik in the last months has been nothing but terrible.

1. All my phone numbers, emails, domains, addresses, transactions, and old passport data were included in the torrent file and the data breach. Since that time I receive all the time fishing emails and fishing sms.

2. I updated all my passwords and 2FA codes after this breach. But at the same time, they obviously changed their login page from epik com to federatedidentity com. And somehow I have only the 2FA codes for logging in via epik com now but not the federatedidentity com 2FA. Obviously I made the mistake to think that these codes are the same or that you can still log in via epik com with the old 2FA which I generated there. And at the same time, it seems that Epik completely removed the old login page. Before you were able to decide.

3. I contacted support and explained my problem. They mention an account PIN that was not even created by me. Of course I don't know such a PIN which is stored somewhere in my profile obviously without notice. So I try to find a way back into my account. I mention that I can still use my phone number for their sms login or the old epik com login 2FA.

4. They demand that I upload my new passport. I tell them that I won't upload any such documents anymore after the fact that they are responsible for the situation that all my sensitive data is published online. Instead, I offer them to share the document with them in a Dropbox link for one-time view and tell them that I don't give them permission to store any of my identity documents permanently.

5. And what do they do? They tell me that they don't give me access to my account. This company has become completely ridiculous. No SORRY nothing about the shit they have done. I won't upload anything and I don't give you permission to store any identity documents and if you do so, then I will take legal actions. Basta!

Thank you for this mess Epik. First allowing hackers to easily decrypt all data by employing wannabe security specialists who don't know what encryption algorithms aren't secure anymore in 2021. And then for the fantastic communication and having two different logins, and then removing one login etc. That's completely crazy.

I would like to know about the first point. My understanding was ID documentation was not included in this breach. Is that not the case?

Passport and potentially other ID documentation would make this even more of a disaster.

Brad

 

[mr-x]

There are also strict regulations when it comes to storing and protecting customer's data - from PCI compliance to GDPR, and more.

Brad

Another false equivalence. A few megabytes of public whois data vs gigabytes of IP and private information stolen, sabotage and blackmail.

You've changed my mind.

 

[Future Sensors]

Whois data is public. You can choose to hide your information but it is still public data and can be found free or purchased.

Please note that although Have I Been Pwned had a focus on the Whois data of 15MM people (domain contacts), a lot more of Epik customer data was leaked in the first data breach. This is how Anonymous announced the first breach:

https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-2#post-8394648

 

[bmugford]

I agree but was any of the data created after GDPR? Epik is an American company. People are complaining about trivial differences that have been gone over and over.

I don't know. It is not exactly like Epik has been forthcoming on the data breach when it comes to providing useful information and updates.

That aside, there can be zero doubt they were in violation of PCI compliance with how they were storing credit card data. It is simply not allowed to store much of that information, such as CVV codes.

Brad

 

[SirDrago]

Epik is an American company.

Lmfao!

 

[bmugford]

Lmfao!

"Shitty Russian Code" is as American as apple pie!

 

[Future Sensors]

I agree but was any of the data created after GDPR? Epik is an American company. People are complaining about trivial differences that have been gone over and over.

The question where the data was stored (US/UK/Ukraine) remains unanswered. Just like the question why Mr. Monster removed his appearance as partner from the Ukrainian website We Can Develop IT. Furthermore, GDPR is relevant to Epik as well.

 

[mr-x]

Please note that although Have I Been Pwned had a focus on the Whois data of 15MM people (domain contacts), a lot more of Epik customer data was leaked in the first data breach. This is how Anonymous announced the first breach:

https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-2#post-8394648

How many times can we go over the same thing? Am I allowed to express my opinion that Anonymous's crimes are worse than Epik's incompetence?

 

[Future Sensors]

How many times can we go over the same thing?

Imo, it's you who should read the thread more carefully before saying the same things over and over again.

 

[mr-x]

Lmfao!

This is where I get warned about being off topic.

 

[Future Sensors]

Am I allowed to express my opinion that Anonymous's crimes are worse than Epik's incompetence?

Sure, and we can or may even agree on that. But it's a fact now and we can't deny. Or can we.

 

[mr-x]

Sure, and we can or may even agree on that. But it's a fact now and we can't deny. Or can we.

You seem too.