alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[jmcc]

What resource is really reliable?

ICANN's data is best for the registrar reports. DomainState also has registrar figures that are based on these reports. (Haven't checked if they are current.)

These are the 01 Sep 2021 figures for Epik's main nameservers:
com - net - org - biz - info - mobi - asia
303387 | 11857 | 10646 | 1044 | 8153 | 82 | 64

This is from the May ICANN report:
Epik Inc. 494,019
That's the .COM number for Epik's official accreditation.

Regards...jmcc

 

[Grilled]

I kept remembering the journalist during that video confrontation asking about two shell companies, but I am completely ignorant to those details.

I think the journalist was following up on a previous request for an on the record comment regarding his below article:

https://bylinetimes.com/2021/09/08/texa-anti-abortion-bounty-hunting-website-now-hosted-in-the-uk/

Prolifewhistleblower.com appears to have a new host with ties to the United Kingdom. Web registration records indicate a switch to a UK based web host with ties to Crimea, and as well as a link to servers owned by a New Jersey-based corporation that also hosts right-wing extremist and Christian hate-group content.

Website registration records indicate the IP now associated with the URL Prolifewhistleblower.com is associated with UK-based Overoptic Systems LTD, which also does business by the name HQHost. Overoptic Systems only has one listed corporate director and their address is in Crimea.

Records also indicate these IP addresses are linked to a New Jersey-based company called NatCoWeb Corp. They also show that NatCoWeb hosts extremist content, including a forum for the 3 Percenter right-wing extremist group and two websites for the Alliance Defending Freedom, a Christian nonprofit labelled by the Southern Poverty Law Center as a hate group. Little can be found about NatCoWeb Corp online.

Whois records of the IP address associated with Prolifewhistleblower.com also show Anonymize Inc. as the privacy administrator. NatCoWeb Corp and Anonymize Inc. appear to have a number of links. The bulk of the IPs on the NatCoWep Corp server list Anonymize Inc as their privacy administrator. Anonymize is a wholly-owned subsidiary of Epik.

A certified network engineer who analyzed these web records for the Byline Times believes that, despite the seeming switch in IP records, Epik could still be providing IP hosting in some regard.

When approached for comment about their web host, a representative for Texas Right To Life said that it was still working with Epik and that the site is currently down while they establish “extra security protocols to protect our users before we put it back up.”

But when asked for clarification regarding the discrepancies in the registration records, specifically regarding whether Epik was providing them IP hosting, the representative said Epik was never the IP host. This is contradicted by records and previous reporting showing that the site was indeed hosted by BitMitigate at one point, a wholly-owned subsidiary of Epik.

In a comment to ArsTechnica on 7 September, a representative from Epik said the company never provided web hosting services to Prowhistleblower.com despite the fact that the website was at one point hosted on BitMitigate, a web host owned by Epik. While legally correct, the distinction appears to split hairs. Other IP addresses that redirect to Epik.com also link to IP blocks managed by British company Tinhat LLP, which in turn also links back to Anonymize. It has two directors whose addresses are listed in Switzerland.

Rob Monster was reached by phone and spoke with the Byline Times for over 15 minutes, but refused to comment on the record regarding any of these links.

To whit Rob called the article a "nothingburger".

https://twitter.com/x/status/1437543353357328389

 

[Jurgen Wolf]

The search used to get that list could have been from done to a wider pool of names that aren't just under Epik, for example.

I kept remembering the journalist during that video confrontation asking about two shell companies, but I am completely ignorant to those details.

Moreover, in that tweet thread, someone speculated that those totals included Rob's own speculative holdings outside of Epik customers, etc.

I'm sure next week things will be more clear.

Maybe...

 

[Jurgen Wolf]

ICANN's data is best for the registrar reports. DomainState also has registrar figures that are based on these reports. (Haven't checked if they are current.)

These are the 01 Sep 2021 figures for Epik's main nameservers:
com - net - org - biz - info - mobi - asia
303387 | 11857 | 10646 | 1044 | 8153 | 82 | 64

Regards...jmcc

This data is based on nameservers?
Then it is just partial and can't be compared.

 

[blockhead]

One important thing to keep in mind -

If this breach is from earlier this year, and if indeed records are from past years, you've also got to think of what cards/bank accounts were PREVIOUSLY linked to Epik -- NOT just what's currently or recently in their system.

Seems to me that if you can't remember, it'd be wise to play it safe and cancel everything that MIGHT have been used there.

 

[Jurgen Wolf]

When PayPal was stopped on Epik, can you recall at least month?

 

[blockhead]

@Paul it almost feels like some sort of a courtesy banner announcement could be a good idea. I'm sure a lot of users haven't seen this thread at all, much less have time to keep up with all the posts. Just an idea. This sounds like it could be disastrous for a lot of folks, especially since Epik isn't doing much to help here.

That said, I'm not sure what all has or hasn't been 100% confirmed true about the leak - don't want to spread anything unsubstantiated - but maybe something could be done.

 

[jmcc]

This data is based on nameservers?
Then it is just partial and can't be compared.

I added the ICANN .COM count. Some registrants are hosting on their own nameservers. The ICANN report also includes the number of nameservers.

Regards...jmcc

 

[dirk]

@Paul it almost feels like some sort of a courtesy banner announcement could be a good idea. I'm sure a lot of users haven't seen this thread at all, much less have time to keep up with all the posts. Just an idea. This sounds like it could be disastrous for a lot of folks, especially since Epik isn't doing much to help here.

That said, I'm not sure what all has or hasn't been 100% confirmed true about the leak - don't want to spread anything unsubstantiated - but maybe something could be done.

Not the worst idea actually... Was thinking the same thing. Lots of folks who stopped using Epik or used them for the odd purchase may not have noticed.

 

[jmcc]

Sometimes a registrar may still have some domain names registered that are not on its own accreditation. They may typically have been on larger registrars who offer registrations as a service to hosters. The other aspect is that a registrar offering various services may not be the registrar of record for the domain names (the domain names are hosted on nameservers other than the registrar and registered via another registrar. It can get quite complex. The other aspect about using the ICANN registrar reports is that the new registrations and deletions do not line up so that a domain name registered this month last year will not have gone through the renewal/deletion process in this month. There are also some ccTLD counts missing from the Pastebin link posted upthread. This may be because Epik is not an accredited ccTLD in those ccTLDs.

Regards...jmcc

 

[dirk]

https://twitter.com/x/status/1439261708648919046

What?

 

[Lox]

... A certified network engineer who analyzed these web records ....

... should go back to school

e.g.
Natcoweb Corp IPs (colocated server solution company)

 

[Jurgen Wolf]

When PayPal was stopped on Epik, can you recall at least month?

October'2020.

 

[jmcc]

DomainState's registrar data is from August 2020 so it is out of date.

Regards...jmcc

 

[blockhead]

At this point it seems to me like you have to treat every credit card, debit card, bank account, that you've ever used at Epik, as if you've been passing it freely around a packed NYC bar day after day after day...........

 

[Lox]

I will repeat.

If you're staying @ E ... change your whois email (for admin and tech) > ASAP <

 

[Jurgen Wolf]

Rob just DM'ed me: since the incident, we have had more domains arrive than leave.
Only this, no any other explanation.

 

[bmugford]

Things are starting to get really messy for Rob and Epik.

 

[bmugford]

This is related to the harassment campaign against Wiki editor Molly White -

https://www.namepros.com/threads/epik-wikipedia-battle-is-full-on-right-now.1186029/

Emma Best
@NatSecGeek

Joey Camp now hinting he did opposition research for Epik CEO Rob Monster. Previously posted an unredacted version of the Telegram chat showing a screenshot of his (Jojo's) Keybase chat. Also claims Rob approved "every last page" on his now banned website.

Molly White
@molly0xFFF
Hey
@robmonster
, you've had a lot to say about the "sins" of the people who hacked your company. What was "christlike" about siccing your "private investigator" on me to publish my address, dox my family (including posting photos of young children in my family), and threaten me?

1:50 PM · Sep 18, 2021·TweetDeck

Molly White
@molly0xFFF

Was sending physical addresses of me and my family to violent neofascists, publishing lies about me ("drug addiction to MDMA", really?), trying to email my family and their respective companies all at your instruction too or did he just throw that in as a freebie?

2:00 PM · Sep 18, 2021·Twitter Web App


Molly White
@molly0xFFF

Anyway I've suddenly miraculously found the motivation to transcribe that video of Rob Monster's bonkers press conference for people who don't want to watch 3+ hours of video, so I'll have that up shortly. #EpikFail

2:23 PM · Sep 18, 2021·TweetDeck

 

[Start]

DomainState's registrar data is from August 2020 so it is out of date.

Regards...jmcc

True, I mentioned the date and compared it to domainnamestat.com's graph going back to Sept 2020, to show that domainnamestat.com's numbers were 50% lower than DomainState.com's numbers.

Just to show that the numbers aren't necessarily accurate. Although the upcoming deletions number probably is, because I think registries report those.