NameSilo

Epik Had A Major Breach

Labeled as alert in Warnings and Alerts, started by Silentptnr, Sep 14, 2021

Replies:
3,633
Views:
194,372

  1. Chris Hydrick

    Chris Hydrick Account Closed (Requested) VIP

    Posts:
    6,304
    Likes Received:
    9,805
    @Molly White

    1) 111.png

    ...

    2) 222.png

    3)


    TLDR: Epik bug bounty program failed to act on reported security holes, but instead allegedly paid out $2,000 in what appears to be some kind of human bounty program? That doesn't sound like very reasonable christian/security-minded folk to me.

    Perhaps epik should dismantle their human/journalist bounty program, and redirect that time/energy/money to fixing/developing a working security bug bounty program. You know, this time for fixing actual security bugs, instead of harassing buggy people.
     
    Last edited: Sep 19, 2021
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. cbd

    cbd Top Contributor VIP Gold Account

    Posts:
    2,374
    Likes Received:
    1,309
    Side note: obviously, being a public forum, some of the replies to this thread are now circulating on Twitter.
     
    Last edited: Sep 19, 2021
  3. carob

    carob Top Contributor VIP ★★★★★★★★★★

    Posts:
    3,870
    Likes Received:
    5,407
    Example amounts of compensation for breaches:

    https://www.data-breaches.co.uk/data-breach-protection-claims-and-compensation/amounts/

     
  4. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,136
    Likes Received:
    11,042
    This is their compensation...
     
    Last edited: Sep 19, 2021
  5. Chris Hydrick

    Chris Hydrick Account Closed (Requested) VIP

    Posts:
    6,304
    Likes Received:
    9,805
    1) Are you saying epik employs hug dealers?

    upload_2021-9-19_9-27-17.png

    2) You know what they say about men with big hugs?

    upload_2021-9-19_9-28-39.png

    3) Hoodie talk aside, Giant Teddy Bear people give great free hugs.

     
    Last edited: Sep 19, 2021
  6. Mister Funsky

    Mister Funsky Top Contributor VIP

    Posts:
    5,650
    Likes Received:
    21,758
  7. labrocca

    labrocca Top Contributor VIP ★★★★★★★★★★

    Posts:
    6,437
    Likes Received:
    470
    Do you even use Gab? I'm there daily. It's not the site you think it is. Just a place that Conservatives feel more comfortable posting. Places like Twitter, Reddit, and Facebook will all censor you. I'm not okay with that. If I want to express something that's unpopular I should allowed to do so. Epik doesn't harbor sites, Epik has taken a stand against tyranny. That's why Gab and Epik will survive. It is not yet against the law to say something unpopular. There are growing consequences of course and that's very unfortunate but realize that your freedoms are being fought for even if you don't like it. One day, you might want to say something unpopular and have nowhere to post it.

    On another note, I'd like to actually see the data stolen. Not gonna DL GB's to do it but I'd love to see the format. Are the PW's really in plain text? How many tables were grabbed. What's the schema? Does the data contain what domain names are owned by the accounts?

    btw, quick story about Epik. I have a problem with my accounts being a target. When I moved all my domains to Epik I had spoken to Rob about it, he assured me things would be fine. Wasn't too long before indeed my Epik account was stolen by crafty social engineers towards their support system. I was back and forth with Rob for a few days because my account would get recovered then stolen again. No domains were lost but my PW was continually being reset and my access lost. Rob worked with me to increase the security and end the problem and since then it's been solid. My point is that despite being flawed Epik is going to do their best to stop domain thefts. And until they fail that mission, I'll be happy to stay there. We should all help them with suggestions and methods of improving their service.

    Wow. Supporting a business that shares your political views doesn't mean you're in love. I don't shop Walmart but that doesn't mean I hate them. I'd leave Epik the moment they stopped serving my purpose. Until then, they have my support. I spent years at Moniker, then at Uniregistry, and now Epik. Notice the pattern? These are domainer registrars. Who is better right now than Epik if you're a domainer? Give me the link please.

    And that is just unacceptable. If you don't see the evil behind this and that Rob is fighting the good-fight, there is no hope left in the world. Someone out there is under the belief that discussions that don't fall under the government allowed topics should be hacked, exposed, and probably worse. Are any of you okay with that? If anything this strengthens my resolve to help Rob and stick with Epik.

    btw, GDPR is a joke for US citizens and companies. They can't do anything about it if you don't comply. Americans don't need to follow EU laws. There are no real consequences.
     
  8. Beezy

    Beezy Top Contributor VIP

    Posts:
    6,384
    Likes Received:
    2,321
    Gab literally hosts domestic terrorists. Disgusting that you go there daily. It's also not true that Facebook censors conservatives. The top 10 posts daily are conservatives. I can show you this. I can also show you the crowd on Gab.
     
    Last edited: Sep 19, 2021
  9. Kingslayer

    Kingslayer Top Contributor VIP

    Posts:
    2,139
    Likes Received:
    5,711
    GDPR is great and yes they can, if American companies don’t want to follow GDPR laws, they should block all EU (and UK) citizens from accessing their site (which some do), even logging IP addresses data protection laws apply.

    American companies that deal with EU/UK citizens have to abide by GDPR and I'm sure various other data protection laws wherever a particular person is from in the world by law.
     
    Last edited: Sep 19, 2021
  10. DNabc

    DNabc Established Member ★★★★★★★★★★

    Posts:
    683
    Likes Received:
    182
    I don't get involved in political issues, I always try to do good to others not just around me but all around the world without requiring their full bio and beliefs.
    The data exposed will harm people that never even heard of the things that the group uses to justify this action, hurting people without any sort of affiliations and some even more left-wing than the attackers. Yes, this was an attack to the privacy and security of thousands of persons.
    I ask this: is that fair or simply don't care? The later, I'm sure.
     
    Last edited: Sep 19, 2021
  11. Silentptnr

    Silentptnr Domains88.com VIP

    Posts:
    16,725
    Likes Received:
    48,284
    Epik Suggestion: On the checkout page, the "Save Credit Card" should NOT be checked by default. I almost forget to uncheck this every time.

    Please change to default to "Not Checked".
     
  12. Chris Hydrick

    Chris Hydrick Account Closed (Requested) VIP

    Posts:
    6,304
    Likes Received:
    9,805
    I would be okay with other WHOIS privacy services getting hacked, and released for transparent public knowledge. It would literally be the domain name version of the panama papers transparent distribution, right?

    GoDaddy WHOIS proxy probably being the largest database, would surely release more connections to covid misinformation sites than the marginally smaller anonymize.com database leak.

    Who's to say the breach only effects the political right wing? Are we to assume nobody from the left had their information exposed in this breach? And when did it become more about bad politics than poor security?

    Governments selectively subpoena this information all the time. What's the harm in removing all WHOIS privacy?

    It just so happens to be that due to a combination of epikly poor security and unfavorable opinions collided, resulting the leak we see now. As unfavorable is subjective, surely GoDaddy/NameCheap etc have some folks who view them with an unfavorable opinion, but the difference here appears to be GoDaddy/NameCheap actually take their customer information seriously, until proven otherwise as we saw with epik who claimed to take security seriously as well, but just didn't have the code/updates/bugbounty to walk the talk.



    Apparently they lacked salt or hash.



    ...



    ..



    ...

     
    Last edited: Sep 19, 2021
  13. mr-x

    mr-x Top Contributor VIP ★★★★★★★★★★

    Posts:
    21,063
    Likes Received:
    37,533
    upload_2021-9-19_10-30-10.png
     
  14. jhm

    jhm Glazed

    Posts:
    3,692
    Likes Received:
    5,125
  15. carob

    carob Top Contributor VIP ★★★★★★★★★★

    Posts:
    3,870
    Likes Received:
    5,407
    And US companies do get fined under GDPR:

    https://www.usitc.gov/publications/332/executive_briefings/gdpr_enforcement.pdf
    https://www.compliancejunction.com/gdpr-for-us-companies/
     
  16. bmugford

    bmugford www.DataCube.com PRO VIP ICA Member ★★★★★★★★★★

    Posts:
    14,179
    Likes Received:
    27,378
    The more that comes out about this, the level of incompetence becomes even more apparent.

    Companies face attacks quite often. In this case poor security measures appear to have lead to many of the issues.

    Brad
     
    Last edited: Sep 19, 2021
  17. tonyk2000

    tonyk2000 Top Contributor VIP ★★★★★★★★★★

    Posts:
    2,467
    Likes Received:
    4,426
    I am curious what "alternative news" epik retail clients will do now. They must be discussing everything in private groups or chats, no doubts...

    Switch registrar? Yeah they can try, but, since no other icann-accredited registrar would welcome them, this method will not work.

    Remain with Epik? They no more trust Epik, obviously.

    So...

    Best guess: they will shut their .com domains down, earlier or later, voluntary, and will switch to other extensions. Iceland (.is), or maybe former USSR .su -this tld still exists and is managed by Russia. One of known "alternative" websites is well and alive under .su (after having major issues with its .com).

    Russians everywhere? LOL. Sold bad code to Epik, are providing domain in .su tld to at least one "alternative" U.S.-facing website, etc., etc., etc...

    Moreover, the new domains would not have any real ownership info even in .su/.is/whatever registries - the owners likely learned their lesson.

    But we are all domainers here. Actually, not having "toxic" clients will help Epik to survive as a domainers registrar. Which is a positive outcome...
     
  18. Beezy

    Beezy Top Contributor VIP

    Posts:
    6,384
    Likes Received:
    2,321
    My opinion on Monday we're going to see folks not showing up to work, as they know their employers are about to find out about their secret lives.

    By Friday we're going to hear of actual firings with press releases, as businesses realize that employing terrorists is bad.

    HOWEVER, I've seen evidence that there was an extra level of redactions on some of the most egregious sites, and the info was not exposed, as if someone manually did this as a favor to the site owners (some of you PM the ceo to ask for personal favors all of the time I have learned in this thead, I'm sure these high profile ideological sites that he wants to preserve get even extra special treatment). So those folks are going to stay and repay Rob for his loyalty to their cause.

    But, will the hackers leave something open? Are they going to reveal everything?

    To me, it feels like Rob is learning about this like we are, but we'll see. He's untrusthworthy and vague.
     
  19. Beezy

    Beezy Top Contributor VIP

    Posts:
    6,384
    Likes Received:
    2,321
    I'm furious that they kept failed password attempts in plain text because I specifically remember how often I would forget the password there and spend minutes trying everything I could think of.

    Even not supporting this evil company anymore gets me embroiled in this mess.
     
    Last edited: Sep 19, 2021
  20. Beezy

    Beezy Top Contributor VIP

    Posts:
    6,384
    Likes Received:
    2,321
    Question, HOW DOES THIS HAPPEN?

    Why would there be logs for this?

    Who were these logs for? Who coded that? Who had access to those logs? Everyone at Epik?

    Was there really another breach in 2020?

    The data in this breach is WILD.
     
  21. Samer

    Samer Restricted (15-30%)

    Posts:
    11,272
    Likes Received:
    21,969
    @Beezy,

    The man posted here, while, not obligatory, -fact one could argue, people like you, will see negative all his posts —regardless substance.
    It seems you are seeing nefarious actions that are not there. Rob is more trustworthy than any other Ceo, since he u kno“actually posted”amazing thing, posted before, & still more after

    Once more, i would like to take the opportunity, to thank @Rob Monster for actually replying.

    Samer
     
    Last edited: Sep 19, 2021
  22. cbd

    cbd Top Contributor VIP Gold Account

    Posts:
    2,374
    Likes Received:
    1,309
    Lol, wut tf?

    Such an absurd statement that doesn't jibe with reality in the slightest.

    I'm having to spend my day changing passwords on dozens of accounts because of R.M.'s shitshow, and here you are fanboying as usual. Get a grip dude.
     
    Last edited: Sep 19, 2021
  23. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,136
    Likes Received:
    11,042
    When I see "123" and "toor" passwords of admins and even in plain text - I have no comments, Swiss bank of domains.
     
  24. bmugford

    bmugford www.DataCube.com PRO VIP ICA Member ★★★★★★★★★★

    Posts:
    14,179
    Likes Received:
    27,378
    It seems more like the Swiss cheese of cybersecurity, with all the holes in it.

    Brad
     
  25. eternaldomains

    eternaldomains Established Member

    Posts:
    495
    Likes Received:
    337
    At this point even 2FA or whatever won't help since anyone can just screw around using the admin accounts.
     

Want to reply or ask your own question?

It only takes a minute to sign up – and it's free!
Topics / Tags:
biix
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...