IT.COM

alert Epik Had A Major Breach

Spaceship Spaceship
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
In keeping with industry best practices, we have marked NamePros accounts as potentially compromised if they contained identifiers that matched data in certain portions of the Epik breach.

Note that analysis was limited. Much of the data is unstructured or unlikely to impact the security of accounts on NamePros, so we have focused on the data that we believe to present the greatest risk of credential stuffing attacks.

If your account is marked as potentially compromised, you will be logged out. The next time you attempt to log in with a valid password, you will be informed that there was a security concern with your account, and you will be prompted to reset your password:
We've received indication that your account credentials on a third-party service may have been compromised. For your security, you will need to reset your password. You won't be able to log in until you do so. Please click here to reset your password now.
This is the same system we have used in the past to lock down accounts that we believe to be compromised or at risk of credential stuffing attacks.

As analysis continues, we may flag additional accounts, take further action to lock down potentially affected accounts, or implement further protection measures as deemed appropriate by the security and domaining communities.
 
Last edited:
22
•••
Let's not let this devolve into yet another flame war over Epik or politics. Given the circumstances, that would be entirely unfair to everyone involved. Notable sites in our industry have been getting hacked more and more often, regardless of their political alignment or lack thereof. Pointing fingers and debating motive does not help us move forward.

Moderators, please take note.
 
21
•••
You should be reporting actual security issues and bugs directly to the CTO if the CEO doesn't understand the issues

I reported it both to Rob and to the developer in charge of the relevant project. Rob reached out to me with a request; when I brought up a related security issue and cc'd the developer, he stopped responding. The details are earlier in this thread.

You can't be marketing yourself as the pinnacle of security and privacy in the domaining industry--"The Swiss Bank of Domains"--if you don't understand what that means; it's just not acceptable, and we should be demanding better.

At the end of the day, it doesn't matter whether he was deliberately ignoring security or just naïve: his customers will be suffering the consequences of his (in)actions regardless. He pitched himself as an innovator in privacy and security, yet here we are.

If you're pitching yourself as a shield for the persecuted, protecting their freedom of speech, you'd better not be storing such verbose PII in this manner. That's not to say you can't store it, but it can't be sitting in the clear in your backups alongside the rest of your data.

Trust is hard-won and easily lost. While I'm sure Epik will continue to have a loyal following, it's going to be hard to regain the trust lost during this incident.

I registered on 16th March. Does that mean I'm safe?

Nobody knows. The attacker only released data up to around the end of February, but there are clear indications that some data was withheld prior to the public release. We don't know what's circulating in private circles or what the attacker may have kept for themselves.
 
Last edited:
21
•••
The lack of any response by Epik is troubling, even a basic update on what is going on.

I understand if things are going on behind the scenes, but you have (37) Epik staff members on NamePros.

A basic "We are aware of the reports and are researching the situation" or something similar is needed.

Brad
 
Last edited:
19
•••
Probably would have been better without the last paragraph - God, prayer, evil, enemies. That is not usually the type of wording you see about a hack.

All people care about is what happened.

At Epik, we take security and the privacy of your information very seriously. Therefore as a precautionary measure, I am writing to inform you of an alleged security incident involving Epik.

Our internal team, working with external experts, have been working diligently to address the situation. We are taking proactive steps to resolve the issue. We will update you on our progress. In the meantime please let us know if you detect any unusual account activity. I am proud of our team’s efforts as we do our part to empower a thriving internet for the benefit of our customers around the world.

You are in our prayers today. We are grateful for your support and prayer. When situations arise where individuals might not have honorable intentions, I pray for them. I believe that what the enemy intends for evil, God invariably transforms into good.

Blessings to you all.

Regards,

Rob Monster
Founder and CEO
Epik Holdings Inc
dFshwRYbZM
 
Last edited:
18
•••
I don't think this link (below) has been posted in thread. It is important to realize that, unfortunately, many large businesses have been hacked. It is one of the major issues of our times.

Much of recovery success depends on response and communication.

This gives details of some security breaches, including year of breach, number of accounts, and in many cases the information gathered. Among the names are Facebook (multiple times), Adobe, DropBox (more than once), Marriottt, Canva, Zoom, Uber, eBay. LinkedIn, Yahoo (multiple times), Equifax, CapitalOne, Quora, HomeDepot, etc.

https://www.upguard.com/blog/biggest-data-breaches

This is NOT to make light of situation if it is as claimed. Just to point out, unfortunately, data breaches are a fact of modern life.

Bob
 
20
•••
Agreed. He is most likely candidate but we also have to consider:
1) Mike Lindell (pillow guy) - What a manic, delusional and weird conversation that would be to listen in on.
2) Peter Theil (and Jeff Giesea) - Daddy of the alt-right and one of the most evil companies on the planet - facial recognition, killer bots, etc. Geisea's family ran the infamous Bohemain Grove for decades.
3) Patrick Byrne (Overstock) - Confessed to working with the feds for 20 years while running an internet furniture store and helped put some innocent little Russian girl in jail after taking advantage of her sexually.

IMHO - Byrne is sincere but gullible. Lindell is sincere but mentally ill. Mercers are evil agents. Theil is evil as the day is long.

Epik's previous partners was Braden Pollock, husband of [redacted], who is the daughter of [redacted]. Strange bed fellows to the say the least.

Attached is pic of Theil with founder of gab.

Derek,
Interesting that you would post my wife's name (as if she's ever heard of Epik) and my 80 y/o mother-in-law's name (as if she's ever heard of a domain name). How fair is it to associate them with this mess? Clearly, I don't want to be associated with white supremacy, racism or hate speech - hence resigning my board position. Freedom of speech has its limits.
I sit on several Boards. Usually I have some leverage. With Epik, I had none. I always disagreed with hosting Gab, etc and tried many times to have some sway. When that proved fruitless, I moved on with my life. I have absolutely nothing to do with Epik hosting these hateful sites. So please remove me and especially my family from this narrative.
 
Last edited:
20
•••
I mean he even hired a guy to harass some little girl and threaten her family because he didn't like her wiki entry.

... the nutjob even hired some guy to harass some little internet girl because he didn't like her wiki entry about Epik.

well, judging by the amount of energy that wiki girl Mollie put into all of this, I wouldn't want to make them mad.

@Derek Peterson, if you'd be so kind, could you stop referring to me as a "little girl"? When @Windoms mentioned it a few pages ago I figured that would be the end of it, but you keep doing it and it's very strange.
 
Last edited:
20
•••
I'm more concerned about the possibility of my personal information being compromised. I really hope it will be addressed soon. I was on another app and they were talking about it. Bad news spreads fast.
 
18
•••
so sad the level of hatred and the NamePros community is so divided!

Cheers
Corey
 
19
•••
https://www.troyhunt.com/weekly-update-261/

Weekly Update 261

Never a dull moment! [...] A few other random things in this weeks vid, the one worth following up on here though is the promised tweet about how to handle the Epik breach and the result so far is, well, let's just say I think I nailed the public sentiment in the video [...]

Additions to the quote above:

Troy Hunt talks about Epik from 27:23 to 43:30.

If you don't know:
 
20
•••
Just reading some of the commentary about the WHOIS data on Twitter. It seems that some of those covering the story don't realise that WHOIS data (at least prior to May 2018) was largely public. Many of the e-mail addresses in the scraped WHOIS records would already have been public. What makes the dataset problematic is that the WHOIS record may link the e-mail address with a real-world identity on a large scale for a lot of e-mail addresses.

Regards...jmcc
 
19
•••
Monster's behaviour, both historical and current, actually has a lot to do with the hack. If Monster didn't try to cut out a niche for himself as "the guy who will sell literally (almost) anyone a domain", pulling marketing stunts like running Nazi websites, Epik wouldn't have attracted so many unsavory customers, thus hacktivists wouldn't have broken into their system. If he wasn't so arrogant and clueless about security his data wouldn't have been stored in such an insecure way (or at all, most of this stuff they did not need!) If they had patched their systems they might not have even gotten hacked. Did you miss the part where they probably failed to notify anyone that they were investigating a potential breach in 2020? Nobody is trying to defame your friend, they're criticizing him for making so many poor life choices and business decisions.

Although we're being a bit lenient with newer members in this thread, we've asked previously that the political side of this not be the center of focus because it's already been hashed out in several other threads over the years. This is a small industry, and everyone knows where everyone else stands, so there's not much point. As much as we love to be backseat lawyers, philosophers, and ethicists, we are not. Rob's character and Epik's business practices have long been divisive within our industry, even before he was in the public spotlight. While those discussions are important and ought to take place beyond the realm of domaining, they've already happened here.

We're just beating a dead horse at this point, and the only people left standing to discuss it are the vocal minorities on either extreme and the occasional bystander who, to their misfortune, happens to wander into the middle of such debates.

What's new to us is the information about Epik's lapses in security and privacy, as those revelations don't align with their reputation in the industry. Love them or hate them, they were known for (seemingly) caring about such matters, and most of us probably didn't expect this. It's not surprising that they got hacked; what's surprising is how poor their security practices were in general.
 
19
•••
19
•••
I have to say that after reading more than 2000 comments here, and more on Twitter, the news etc. I feel kinda tired and realized I have to focus on domain investing again. All of this that happened surely thought me a lot as I am currently studying cyber security, this thread was invaluable to all of us, a live example of what can happen when security is not taken seriously. And I hope more people learn about domain investing too, it's a nice way to earn a living.

Let this breach be a lesson to all of us, for investors as well as other companies. For investors to do research and evaluate where to put all the eggs. And the best is to diversify, because we never know which company to trust, until a breach has happened it's already way to late. Do research how to do best practices for security, unique passwords for each account, unique emails for each account, 2 Factor Authentication etc. which have been mentioned a couple of times here already. But take this very seriously, this is no joke, it is our money, and our families depend on it too. There may be many other companies that have been hacked, and we never knew about it, and all our data is circulating on the dark web. So always be cautious and change your passwords/usernames frequently, not only when we find out about a breach.

@Paul keep doing your great work! You are a real professional and taught us a lot on how to handle difficult situations staying calm. I respect you for that.
@Rob Monster keep praying is all I can say to you and I hope one day you realize the truth, it's not nice to ignore serious security issues when thousands of people depended on you to safe guard our personal info. I hope you learn that when someone tells you there is a vulnerability, do not ignore them nor threaten them later on.

All I can say now is, there is not really a 100% bad/evil person, but only people who do bad/evil things. We were all born innocent, but unfortunately things change with time due to circumstances and maybe some evil DNA code on how we handle stuff, but people can also change to good again if they are open to learn from their mistakes. Maybe in God, or other religions or spirituality such as breath meditation techniques etc. We all have our own ways to deal with life's up and downs. A beer or 5 is also good, or a nice fat joint.

Cheers everyone and hope this will all have a happy ending.
 
Last edited:
19
•••
The article doesn't seem very credible. It says Epik hosts 700k domains but only has $1m/year revenue? I'd think the average cost is $10 so that'd be $7m at least not counting all of the other services available and commissions from auction sales.
Domains have super low margins and in Epik's case they were mostly a lost leader to resell other, affiliate programs. Everything at epik was a white label.
 
19
•••
Update:

now, most of you will have seen our first official update sent via email today.

Quick supplemental update:

- Cyber forensic work is moving swiftly.

- Our engineers believe the hack is of an aged remote backup, not of Epik's core production.

- No customer domains have been impaired to our knowledge. More domains arrived today than left Epik.

- Our support team is doing an excellent job.

Cyber security is no joke. If this can be done to Epik, it can be done to anyone. As it was, we were already in the process of heavily investing in this arena. Lord-willing, we will once again emerge stronger from the experience.

On a personal note, I am thankful for the outpouring of support. May those of you who choose to stand with Epik all be greatly blessed, both in this life, and the one to come.

Regards,

Rob
 
18
•••
There was a EPP maintenance during the last hour. It is finished.

Should be all systems go. Engineers are working very hard to audit and secure all facets.

Updates will follow, including an official email this evening.
 
18
•••
Good points,

There are mainly two reasons for this:

Money

and

Politics

When it comes to money you have to realize that there might be hidden loyalties and alliances behind the scenes between some domainers and other registrars that see this as an opportunity to take one of their competitors out and perhaps take over some of their customers.

And as far as politics go, well we all know that some people seem to have an ideological vendetta against Epik that has been going on for a long time and rightly or wrongly they see this as an opportunity to vent some of their frustrations.

The only way to have a positive ending to this situation is to use this opportunity to bring some reforms to Epik and to the domain Industry at large (perhaps even to NamePros too).

IMO

Again, politics aside this appears to just be some really shitty cybersecurity.

- Storing stuff like credit cards, passwords, etc. in plain text.
- Using internal passwords like "123"
- Ignoring warnings about potential for security breaches.
- Data breach includes subpoenas and grand jury information involving ongoing investigations.
- Initially downplaying the seriousness of the hack.

and much more...

Instead of the classic ignore, deflect, blame others Epik is going to be forced to take responsibility for this one, especially when it now involves data linked to 3rd parties that had nothing to do with Epik.

All you have to do is go on Twitter in the last day and see countless people talking about being caught up in this data breach, and having no idea who Epik is.

They are also going to have to answer to major credit card companies on why payment information was stored in plain text.

Brad
 
Last edited:
18
•••
Anyone have a breakdown or rough idea on how much of their business is outside of the U.S?
Estimates of Epik visitors outside of the United States:
 
18
•••
Registrars have a responsibility to secure their infrastructure and data. Inevitably, some will be irresponsible, as appears to have been the case here. How are customers supposed to know about that before it’s too late? How would an average registrant make an informed decision? When all this is over, how will any of us know whether Epik has resolved the underlying issues?

Security audits work best when they’re performed regularly by different auditors. There are security auditors who will sign off on lousy security, but if you’re required to go to a new company each time, you’re not going to get away with the security flaws present at Epik for very long. Personally, I would like to see ICANN enforce annual security audits. That’s not to blame ICANN for what happened, but it would be a nice improvement to their policies that would help address the threats we’re seeing today.
 
18
•••
Not everyone has the technical ability or resources to determine if their data is present in the leak, and I suspect many people who were exposed in this hack appreciate the work being done by those like whoever made that spreadsheet, and Troy Hunt and the other folks we can thank for Have I Been Pwned.

If you want to assign blame, it is reasonable to blame the incredible irresponsibility and/or ineptitude at Epik that resulted in such an enormous amount of data being stored in such a poor way. It might also be reasonable to blame those responsible for exfiltrating the data, though with security and data retention practices like Epik's my only surprise is that it didn't happen sooner. But blaming researchers for reformatting or sharing their findings from widely-available data is frankly ridiculous.

As another poster aptly put it more than a few pages back:

If someone analyses earthquake data and it helps me avoid catastrophe, I wouldn't accuse them of trying to destroy cities or targeting my home.

There is certainly reasonable criticism of reporting on this particular episode, and of reporting on Epik in general—for example, I've seen frequent errors (usually in breaking news) in whether Epik is the registrar for a website or a webhost over the years. And if there are journalists who have written that, numerically, most Epik customers are far-right, then that should be criticized (and corrections submitted). But it seems bizarre to me to fault journalists who have described Epik as a popular choice among far-right groups and individuals, or as a company known to service the same when they have been deplatformed by others. It seems to me that Epik has chosen to make a name for itself and increase its profile through vociferous support of projects like Gab, and Monster's (and other Epik employees') various statements and appearances supporting right-wing individuals. As recently as two months ago they were posting on Gab about rubbing elbows with James O'Keefe, it seems. You're quite right that there are probably customers whose information is in the leak due to domains bought before 2018, and who may not have realized their previously fairly low-profile registrar might suddenly take a public turn to the right, but it seems to me that it is Epik who is responsible for earning this reputation.

Anyway, now that I've responded to the ping and said my piece to the reply I will leave you be—I am cautious of appearing to intrude on your forum uninvited, as I am not a domainer myself. You know where to find me on Twitter if there's anything I can help with, or I will respond to pings here (albeit slowly and often only several pages later, apologies). Thank you again for your active discussion here—though I certainly disagree with many of the opinions expressed, I appreciate those of you willing to provide valuable expertise and insights in a public forum where those of us without the expertise can learn from you. Best of luck and best wishes to all.
 
Last edited:
18
•••
Even the person who wrote of the Wikipedia article for Epik even goes by the pseudonym "gorilla warfare", I mean how professional is that as a representative for the world's online encyclopedia?
I am not some sort of official representative for Wikipedia, I am a volunteer like all other editors. I fail to see how the nickname is less professional than any other pseudonym, such as "HotKey".

Anyway, the SPLC published two reports based on the Epik data today:
I wondered why Epik.com's Twitter account suddenly returned to activity today after another lull.
 
17
•••
The Kiwi Farms issue is a separate one than the Epik Breach that occurred, so it shouldn't it be separated out into another thread?

Not my call but "Epik Had A Major Breach" because among its customers were far-right and neo-Nazi hate sites so when Epik decides to side with the internet's most famous hate forum where transphobic Nazis persecute random people I think we're on topic here.
 
Last edited:
18
•••
My personal stance on this:

Companies are going to get hacked; that's just the way it is. While there are clearly security lapses visible in the data, that's no different from any other company. Maybe it was hacktivism, maybe it was a disgruntled customer, maybe it was just someone who thought it was fun--it doesn't really matter.

Epik is going to be facing a lot of criticism in the coming days, both for falling victim to an attack and for issues with the data that has been leaked. There are going to be more eyeballs on their security practices than they could ever hope to have otherwise. Keep that in mind when you're reading about how they failed to secure X or didn't follow best practice Y.

That being said, some of the mistakes here do appear egregious, and I would hope that a company of their importance would learn their lesson and hire security professionals in the future.

Cleartext and MD5!! This is the best they could do?!

That's what I'm seeing, but I can't easily verify the passwords + hashes themselves haven't been tampered with--although, based on the rest of the dataset, I have no reason to doubt their authenticity.

This is really bad news. There shouldn't even be a single plaintext around.

It's quite possible that the plaintext passwords are intended for outbound authentication--that is, authenticating to third-party services. In that case, they would need to be plaintext, or at least use reversible encryption (as opposed to hashing, which is one-way).
 
Last edited:
17
•••
Back