- Impact
- 47,110
alert Epik Had A Major Breach
- Thread starter Silentptnr
- Start date
The views expressed on this page by users and staff are their own, not those of NamePros.
- Impact
- 14,596
- Impact
- 4,716
- Impact
- 11,771
And its very bad.
I speak french fluently, they are basically saying
"Epik a company that presents itself as the swiss bank of domains, accepts almost all clients, with a marked preference for the far right."
"The data stolen from the registrar is particularly sensitive and, it seems, very poorly protected."
"Militants and researchers already used the data to identify owners of far right websites and others used for crooking people."
Then they said the leak made all customers furious and epik's response was bad. They talk about the videoconference
"The discussion, which lasted three and a half hours and which is available on Youtube, is possibly one of the strangest responses to a computer security incident in history."
Then they show who was present at the videoconference, this guy
Then they talk about Rob, a man who presents himself as the Lex Luthor of the internet and who pubicly defended David Duke from the KKK.
Then the neo zeland incident where Rob showed the video on twitter. They say Bradden Pollock left epik's board because Rob organized a meeting where the video was shown in the company's office, they say it was obligatory for all employees to watch it.
Etc..
So you see the tone.
LeMonde is mainstream media.
So its definitively getting picked up CNN BBC etc..
- Impact
- 11,771
- Impact
- 11,771
- Impact
- 6,025
- Impact
- 11,771
- Impact
- 2,448
- Impact
- 11,771
- Impact
- 27,418
- Impact
- 4,075
- Impact
- 2,389
- Impact
- 11,771
- Impact
- 545
FYI, I just saw the admin account with password 123. That doesn't appear to be an actual internal account. Doesn't seem to have admin perms set, was never a verified email account, and looks like someone simply joined as name "Epik Admin". I see no evidence it's an actual active administrator account with permissions. I also don't see the context for what system it is. It could just be a test admin on a test system. I make those with password of "password" sometimes.
And I do think Epik was wrong in some of its data storage. Passwords as plain text? IMHO there is never a reason to do that. On my own large site I basically did a data purge so good that if the site is hacked minimal damage will occur. I want to actually encrypt even IP's but it's a real hassle. Maybe one day. You can't really encrypt data like email and still maintain effectiveness because of things like a PW reset would have to search the DB. You'd still need a key locally that if found could unlock the entire DB anyways. So even with full encryption it's possible to get owned. Works with PW's only because it's data the server itself never needs to understand what it is. Just that the encrypted PW matches the entry from the member login. Not sure if what I am saying is obvious to people or over their heads. I been a sys admin 20 years. Never sure what level the people around me are at.
Ultimately, PW's in plaintext was unnecessary and bad.
Also note I know the VPN developer that sold it to Epik. I wouldn't be shocked if he's behind the hack. He has a history. But it's probably hacktivists that target Epik over politics.
You can normally tell by reviewing the data when it was grabbed and possibly even the location. Example is my own backups don't include all tables because more than a few are either empty or memory tables (likes sessions) which don't require a backup. A good admin can tell (yes, a good admin wouldn't store PWs in plain text either).
Why would they do that? If you're a customer and you lost confidence you can move. I really really doubt based on what I know about Rob that he'll just give up his hard work because of an embarrassment. This stuff happens to a lot of businesses. Rarely do CEO's resign or the business fail. Chipotle restaurant nearly killed dozens of people and they are still in business. So your CC was exposed, someone knows your address or your name, so freaking what? Everyone acts like they are living in a bubble and that they're doing something so secret that no one can know. Meanwhile the CIA and FBI can track you daily on your phone all they want. Jeez.
Perspective people. Registrar's #1 priority for me is for my domains not to get stolen. Raise your hand if this caused your domain to be lost.
Whois was public data for decades. Changed because of GDPR and the perceptions of privacy. Someone wants to get your identity, they will get it.
I can speak from experience that getting registrar booted over your LEGAL content is a real pain in the ass. Your site can go offline indefinitely simply because your Registrar has some policy about the morals of your content even if it's 100% legal. Most registrars have a huge ToS/AUP with language basically giving them the right to shut you down. It's inconvenient and there isn't a lot of large US based Registrars that you can trust to be censorship free. Epik happens to be one of them.
btw, I was using a secured email that was ONLY for Epik.
Experience has taught me that your security starts at your domains.
The reform is blockchain based domains. When browsers begin to include things like the .eth registry it will get interesting. We won't need centralized registrars anymore.
So you're complaining that public data they scraped has been leaked? You need to think on that a moment.
Epik isn't hosting any Nazi's. Anonymous aren't heros, heck they aren't anything because they don't exist. I can with a straight face make the claim that I am posting this as a representative of Anonymous. I been threatened so many times by "Anonymous" that it's a joke to me.
Definitely a tarnished reputation. Destroyed though? I am not so sure. I have seen worse situations where companies have recovered. Maybe wait and see what Epik does before calling them destroyed. Rob does have an opportunity to make amends, for changes, and new security. Basically imho he gets one chance to do the right thing. Also, Epik isn't targeted by "government agencies". I am sure if LE/FBI sends Rob a subpoena for information he is obligated to provide it and does so. Rob would be in a prison if he didn't, and he ain't, so...
Ever heard of the saying that there is no such thing as bad publicity?
What's their domain numbers from 2 years ago compared to today?
Unfortunately you can't undo a leak. The damage is done. Their priority now should be securing, altering policies, and then providing full disclosure on how this happened and what steps are being taken to prevent it from happening again. What do you think is going to "make anyone whole who suffered damages"? If you want some type of monetary reward you have to sue for damages and actually prove the damages. I don't see how that's going to happen when no domains were lost. Not saying this won't turn into a class action because lawyers love to find ways to sue. This might end up being costly for Rob.
Oh yeah, Cox got me and all I ended up getting was an apology letter even though because of their systems someone had harassed me for months and that my family did indeed suffer mental anguish over it. But Cox just said oops and moved on. I wasn't gonna pay a lawyer $50k to go after them.
How have they messed up your life? Holy mackerel isn't that over-stated a bit? Again, NO DOMAINS LOST.
That's such propaganda. When you run a business like Epik you don't really care who your customers are as long as they are legal and don't violate your terms. I'm sure if Democrats and Marxists wanted domains at Epik he would treat them the say way. That's actually why Rob is in trouble politically because he simply doesn't believe in censorship. How novel an idea that in America you get to say unpopular things. Do you guys forget that Trump got censored and banned basically at every popular social media site? You okay with that? And being the Swiss Bank of Domains imho isn't a bad analogy, the Swiss are neutral.
I do hope that Rob uses this as a teaching moment that he has to run his business with more care. Getting into personal fights even if someone else picks them means you will lose every time. You have to take the high road. Your skin has to be thick. Ignoring the crap is your best weapon. Run your business.
Cancel culture is such BS. Since when did the freedom of the internet become the ability to cancel speech you don't like? No one should be cheering this.
And I do think Epik was wrong in some of its data storage. Passwords as plain text? IMHO there is never a reason to do that. On my own large site I basically did a data purge so good that if the site is hacked minimal damage will occur. I want to actually encrypt even IP's but it's a real hassle. Maybe one day. You can't really encrypt data like email and still maintain effectiveness because of things like a PW reset would have to search the DB. You'd still need a key locally that if found could unlock the entire DB anyways. So even with full encryption it's possible to get owned. Works with PW's only because it's data the server itself never needs to understand what it is. Just that the encrypted PW matches the entry from the member login. Not sure if what I am saying is obvious to people or over their heads. I been a sys admin 20 years. Never sure what level the people around me are at.
Ultimately, PW's in plaintext was unnecessary and bad.
Also note I know the VPN developer that sold it to Epik. I wouldn't be shocked if he's behind the hack. He has a history. But it's probably hacktivists that target Epik over politics.
You can normally tell by reviewing the data when it was grabbed and possibly even the location. Example is my own backups don't include all tables because more than a few are either empty or memory tables (likes sessions) which don't require a backup. A good admin can tell (yes, a good admin wouldn't store PWs in plain text either).
Why would they do that? If you're a customer and you lost confidence you can move. I really really doubt based on what I know about Rob that he'll just give up his hard work because of an embarrassment. This stuff happens to a lot of businesses. Rarely do CEO's resign or the business fail. Chipotle restaurant nearly killed dozens of people and they are still in business. So your CC was exposed, someone knows your address or your name, so freaking what? Everyone acts like they are living in a bubble and that they're doing something so secret that no one can know. Meanwhile the CIA and FBI can track you daily on your phone all they want. Jeez.
Perspective people. Registrar's #1 priority for me is for my domains not to get stolen. Raise your hand if this caused your domain to be lost.
Whois was public data for decades. Changed because of GDPR and the perceptions of privacy. Someone wants to get your identity, they will get it.
I can speak from experience that getting registrar booted over your LEGAL content is a real pain in the ass. Your site can go offline indefinitely simply because your Registrar has some policy about the morals of your content even if it's 100% legal. Most registrars have a huge ToS/AUP with language basically giving them the right to shut you down. It's inconvenient and there isn't a lot of large US based Registrars that you can trust to be censorship free. Epik happens to be one of them.
btw, I was using a secured email that was ONLY for Epik.
Experience has taught me that your security starts at your domains. The reform is blockchain based domains. When browsers begin to include things like the .eth registry it will get interesting. We won't need centralized registrars anymore.
So you're complaining that public data they scraped has been leaked? You need to think on that a moment.
Epik isn't hosting any Nazi's. Anonymous aren't heros, heck they aren't anything because they don't exist. I can with a straight face make the claim that I am posting this as a representative of Anonymous. I been threatened so many times by "Anonymous" that it's a joke to me.
Definitely a tarnished reputation. Destroyed though? I am not so sure. I have seen worse situations where companies have recovered. Maybe wait and see what Epik does before calling them destroyed. Rob does have an opportunity to make amends, for changes, and new security. Basically imho he gets one chance to do the right thing. Also, Epik isn't targeted by "government agencies". I am sure if LE/FBI sends Rob a subpoena for information he is obligated to provide it and does so. Rob would be in a prison if he didn't, and he ain't, so...
Ever heard of the saying that there is no such thing as bad publicity?
What's their domain numbers from 2 years ago compared to today?
Unfortunately you can't undo a leak. The damage is done. Their priority now should be securing, altering policies, and then providing full disclosure on how this happened and what steps are being taken to prevent it from happening again. What do you think is going to "make anyone whole who suffered damages"? If you want some type of monetary reward you have to sue for damages and actually prove the damages. I don't see how that's going to happen when no domains were lost. Not saying this won't turn into a class action because lawyers love to find ways to sue. This might end up being costly for Rob.
Oh yeah, Cox got me and all I ended up getting was an apology letter even though because of their systems someone had harassed me for months and that my family did indeed suffer mental anguish over it. But Cox just said oops and moved on. I wasn't gonna pay a lawyer $50k to go after them.
How have they messed up your life? Holy mackerel isn't that over-stated a bit? Again, NO DOMAINS LOST.
That's such propaganda. When you run a business like Epik you don't really care who your customers are as long as they are legal and don't violate your terms. I'm sure if Democrats and Marxists wanted domains at Epik he would treat them the say way. That's actually why Rob is in trouble politically because he simply doesn't believe in censorship. How novel an idea that in America you get to say unpopular things. Do you guys forget that Trump got censored and banned basically at every popular social media site? You okay with that? And being the Swiss Bank of Domains imho isn't a bad analogy, the Swiss are neutral.
I do hope that Rob uses this as a teaching moment that he has to run his business with more care. Getting into personal fights even if someone else picks them means you will lose every time. You have to take the high road. Your skin has to be thick. Ignoring the crap is your best weapon. Run your business.
Cancel culture is such BS. Since when did the freedom of the internet become the ability to cancel speech you don't like? No one should be cheering this.
- Impact
- 1,545
FYI, I just saw the admin account with password 123. That doesn't appear to be an actual internal account. Doesn't seem to have admin perms set, was never a verified email account, and looks like someone simply joined as name "Epik Admin". I see no evidence it's an actual active administrator account with permissions. I also don't see the context for what system it is. It could just be a test admin on a test system. I make those with password of "password" sometimes.
And I do think Epik was wrong in some of its data storage. Passwords as plain text? IMHO there is never a reason to do that. On my own large site I basically did a data purge so good that if the site is hacked minimal damage will occur. I want to actually encrypt even IP's but it's a real hassle. Maybe one day. You can't really encrypt data like email and still maintain effectiveness because of things like a PW reset would have to search the DB. You'd still need a key locally that if found could unlock the entire DB anyways. So even with full encryption it's possible to get owned. Works with PW's only because it's data the server itself never needs to understand what it is. Just that the encrypted PW matches the entry from the member login. Not sure if what I am saying is obvious to people or over their heads. I been a sys admin 20 years. Never sure what level the people around me are at.
Ultimately, PW's in plaintext was unnecessary and bad.
Also note I know the VPN developer that sold it to Epik. I wouldn't be shocked if he's behind the hack. He has a history. But it's probably hacktivists that target Epik over politics.
You can normally tell by reviewing the data when it was grabbed and possibly even the location. Example is my own backups don't include all tables because more than a few are either empty or memory tables (likes sessions) which don't require a backup. A good admin can tell (yes, a good admin wouldn't store PWs in plain text either).
Why would they do that? If you're a customer and you lost confidence you can move. I really really doubt based on what I know about Rob that he'll just give up his hard work because of an embarrassment. This stuff happens to a lot of businesses. Rarely do CEO's resign or the business fail. Chipotle restaurant nearly killed dozens of people and they are still in business. So your CC was exposed, someone knows your address or your name, so freaking what? Everyone acts like they are living in a bubble and that they're doing something so secret that no one can know. Meanwhile the CIA and FBI can track you daily on your phone all they want. Jeez.
Perspective people. Registrar's #1 priority for me is for my domains not to get stolen. Raise your hand if this caused your domain to be lost.
Whois was public data for decades. Changed because of GDPR and the perceptions of privacy. Someone wants to get your identity, they will get it.
I can speak from experience that getting registrar booted over your LEGAL content is a real pain in the ass. Your site can go offline indefinitely simply because your Registrar has some policy about the morals of your content even if it's 100% legal. Most registrars have a huge ToS/AUP with language basically giving them the right to shut you down. It's inconvenient and there isn't a lot of large US based Registrars that you can trust to be censorship free. Epik happens to be one of them.
btw, I was using a secured email that was ONLY for Epik.
The reform is blockchain based domains. When browsers begin to include things like the .eth registry it will get interesting. We won't need centralized registrars anymore.
So you're complaining that public data they scraped has been leaked? You need to think on that a moment.
Epik isn't hosting any Nazi's. Anonymous aren't heros, heck they aren't anything because they don't exist. I can with a straight face make the claim that I am posting this as a representative of Anonymous. I been threatened so many times by "Anonymous" that it's a joke to me.
Definitely a tarnished reputation. Destroyed though? I am not so sure. I have seen worse situations where companies have recovered. Maybe wait and see what Epik does before calling them destroyed. Rob does have an opportunity to make amends, for changes, and new security. Basically imho he gets one chance to do the right thing. Also, Epik isn't targeted by "government agencies". I am sure if LE/FBI sends Rob a subpoena for information he is obligated to provide it and does so. Rob would be in a prison if he didn't, and he ain't, so...
Ever heard of the saying that there is no such thing as bad publicity?
What's their domain numbers from 2 years ago compared to today?
Unfortunately you can't undo a leak. The damage is done. Their priority now should be securing, altering policies, and then providing full disclosure on how this happened and what steps are being taken to prevent it from happening again. What do you think is going to "make anyone whole who suffered damages"? If you want some type of monetary reward you have to sue for damages and actually prove the damages. I don't see how that's going to happen when no domains were lost. Not saying this won't turn into a class action because lawyers love to find ways to sue. This might end up being costly for Rob.
Oh yeah, Cox got me and all I ended up getting was an apology letter even though because of their systems someone had harassed me for months and that my family did indeed suffer mental anguish over it. But Cox just said oops and moved on. I wasn't gonna pay a lawyer $50k to go after them.
How have they messed up your life? Holy mackerel isn't that over-stated a bit? Again, NO DOMAINS LOST.
That's such propaganda. When you run a business like Epik you don't really care who your customers are as long as they are legal and don't violate your terms. I'm sure if Democrats and Marxists wanted domains at Epik he would treat them the say way. That's actually why Rob is in trouble politically because he simply doesn't believe in censorship. How novel an idea that in America you get to say unpopular things. Do you guys forget that Trump got censored and banned basically at every popular social media site? You okay with that? And being the Swiss Bank of Domains imho isn't a bad analogy, the Swiss are neutral.
I do hope that Rob uses this as a teaching moment that he has to run his business with more care. Getting into personal fights even if someone else picks them means you will lose every time. You have to take the high road. Your skin has to be thick. Ignoring the crap is your best weapon. Run your business.
Cancel culture is such BS. Since when did the freedom of the internet become the ability to cancel speech you don't like? No one should be cheering this.
As a fellow developer that runs a SaaS platform, as you say - encryption can be helpful in these cases, but depending on the extent of the access gained by an attacker, they may well have your keys which would render even the best encryption useless. I guess you could offer zero-trust solutions, with users holding their own keys - but that's the stuff of nightmares when you consider the average ability of your users.
I'm not sure if this breach is just a DB dump or whether they gained full access to their servers. If the latter, encryption would at best have simply slowed the process.
But yeah, that said, some of the stuff being reported is jaw dropping, and is the sort of nonsense I'd have done as a junior programmer - logging failed passwords in plain text for example!
Last edited:
- Impact
- 2,389
- Impact
- 11,954
- Impact
- 6,497
Molly White
Established Member
- Impact
- 558
- Impact
- 160
- Impact
- 1,025
Similar threads
- Poll
- Article
Latest news
-
Squadhelp is now "atom"- 55 replies
- Thasreefa P M
New posts
-
imPreggers.com- Reply by DomaineerInc
-
Trademarked Name - To Dispute or Not- Reply by Cush
-
The USA Political Thread- 344 posters
- marijuanadomain
-
envelopesupplier.in
- Reply by Tapan202
Polls of interest
-
Best industry prefix?
- 20 replies
- 40 voters
-
Which is the best price?- 57 replies
- 171 voters
-
What non .com extensions have you sold in 2024?- 35 replies
- 134 voters
Popular this week
-
HSTF.com: Seller gets questioned about value, raises price- 8 points
- 86 replies
-
High-Profile Domainer Refuses to Transfer Sold Domain?
- 10 points
- 41 replies
-
How reliable is Estibot valuation?- 4 points
- 28 replies
-
MJ.com IPO goes live today- 3 points
- 21 replies
-
How do end users find names?- 2 points
- 17 replies
Popular this month
-
NamePros Parking adds Buy Now (and much more)- 70 points
- 247 comments
-
HSTF.com: Seller gets questioned about value, raises price
- 8 points
- 86 replies
-
Changes coming to GoDaddy Auctions
- 7 points
- 63 replies
-
Squadhelp is now "atom"
- 13 points
- 55 replies
-
James Booth sells Galatea.com for $275K
- 13 points
- 57 replies