NameSilo

Epik Had A Major Breach

Labeled as alert in Warnings and Alerts, started by Silentptnr, Sep 14, 2021

Replies:
3,355
Views:
178,271

  1. Chris Hydrick

    Chris Hydrick Account Closed (Requested) VIP

    Posts:
    6,304
    Likes Received:
    9,805
    Also from the transcript::https://blog.mollywhite.net/monster-qa/
     
    Last edited: Sep 21, 2021
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. tonyk2000

    tonyk2000 Top Contributor VIP ★★★★★★★★★★

    Posts:
    2,466
    Likes Received:
    4,418
    The last email from Epik ("Update and Options for Affected Epik Users", dated Sep 20th) appears be written by a lawyer. Which is a good sign - no politics, no religion. It is unfortunate that the lawyer is so US-centric that (s)he forgot about non-U.S. epik customers. With all due respect, non-U.S. customers are unable to call U.S. tollfree 800 numbers, and all the references to "free credit monitoring", "Federal Trade Commission" and the like are irrelevant outside U.S...
     
  3. Chris Hydrick

    Chris Hydrick Account Closed (Requested) VIP

    Posts:
    6,304
    Likes Received:
    9,805


    ...

     
  4. Finest

    Finest Top Contributor VIP

    Posts:
    2,518
    Likes Received:
    2,031
    [​IMG]
     
  5. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    Toxicity is on maximum now.
    Regardless of fakes or not, experiments, honeypot etc.
     
  6. carob

    carob Top Contributor VIP ★★★★★★★★★★

    Posts:
    3,860
    Likes Received:
    5,376
    There is another angle of Epik that could invite investigation, especially of customers: Tax.

    Rob Monster had been advertising their escrow services on here saying that could help sellers transact "tax-free": That certainly could attract attention.

    https://www.namepros.com/threads/if...ng-time-and-money.1119508/page-2#post-7080342

    Which was in reply to this claim: https://www.namepros.com/threads/if...-wasting-time-and-money.1119508/#post-7079390

    In the UK you have to say on your tax return if you used any tax avoidance schemes. Forget to say so, get in trouble later. Say yes and you have to identify what you did so the taxman can look into it.
     
    Last edited: Sep 21, 2021
  7. ReallyBigIdea.com

    ReallyBigIdea.com Restricted (15-30%)

    Posts:
    1,162
    Likes Received:
    1,028
    - WLM was disabled as well not working (impossible to fixing, Noel staff don't know what is White label marketplace powered by Epik).

    - Free WordPress option for new installs unavailable anymore.
     
    Last edited: Sep 21, 2021
  8. ixex

    ixex Final Product ★★★★★★★★★★

    Posts:
    884
    Likes Received:
    247
    What I meant and should have said, it is common among the micro circle of owners that I know.
     
    Last edited: Sep 21, 2021
  9. Chris Hydrick

    Chris Hydrick Account Closed (Requested) VIP

    Posts:
    6,304
    Likes Received:
    9,805


    ...

    In fairness, not referring to the extra step that requires the registrar to register a searched domain in order for it to be front running, but referring to when you search for a domain at Godaddy, add to cart, a few days/weeks/months later, it's not uncommon to receive an email from Godaddy or asking if I'd like to continue with my purchase.

    I would however challenge whomever has access to the alleged table that contains every domain that was ever added to cart at epik, to audit that table against domains currently owned by epik or an epik employee, as that evidence would be needed to prove domain front running. As is, isn't the storing items added to cart common practice, or is that limited to Ebay/Godaddy?
     
    Last edited: Sep 21, 2021
  10. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    Looks that all activity on Epik is tracked and logged...
     
  11. william

    william Established Member ★★★★★★★★★★

    Posts:
    598
    Likes Received:
    64
    Why was Epik storing sensitive information in plain text? It's 2021, how many hacks and leaks have we seen to learn from? And still, we have to deal with companies like Epik leaking sensitive information in PLAIN text? Just incredible stupidity.

    The only upside to this breach is this: "Monster acknowledged the breach in the meeting, alleging that the attackers not only hacked a backup of the company’s data, but also made away with $100,000 from his Coinbase account using information obtained from the breach."

    I'm glad that karma is biting them in the ass for this. Albeit, at our expense as well.
     
    Last edited: Sep 21, 2021
  12. labrocca

    labrocca Top Contributor VIP ★★★★★★★★★★

    Posts:
    6,437
    Likes Received:
    470
    "Negligence to protect your information by the company may face a lawsuit for the damages incurred."

    What damages?

    "Great my email address is compromised now...cuz I had the same password as Epik."

    Please let that be sarcasm. It's incredibly poor security practice to use the same password across services/sites. And yes, just as bad as Epik storing our PW's in plaintext.

    ROBMONSTERENABLESNAZIS.COM is sad. Rob, please ignore the trolls. They're gonna do what they're gonna do. Fighting them just makes more of them come out of the woods. When they figure out you don't give a crap and that their trolling doesn't effect you, they crawl back into their holes waiting for some other target. They were trolls before they found you and they'll be trolls long after you're destroyed, if you allow it. Ignore them, no matter what nonsense they say.

    I own the domain KillCops.com, I am not for killing cops, I have never used the domain and likely never will. Just something I bought for $10 years ago. Who cares if Rob has some Nazi domains. I got some .gay domains too, not gay. This type of nonsense in this thread is really beneath some of you.

    Not uncommon as a security practice. But I cringe since a very common and practically required security practice is to encrypt passwords. IMHO basically whoever is in charge of security, should get fired. Rob ain't a coder. I tend to doubt he has the technical expertise to properly project manage his company. This is why Steve Jobs and Bill Gates created two of the largest tech companies in the world. Rob is just a dude. Maybe he seriously didn't understand best-practices or how to implement good security.

    Rob imho needs to hire someone really competent as CTO. Current CTO has to take the hit for this imho. Sorry to whoever you are dude but let's face it, unless Rob specifically told you to leave it that way it was up to you to ensure the PW's were encrypted. Also up to you was to make sure the backup location was secured. You do know that you could have put a password on the downloaded archive file too right? Create dumps, zip and archive, add password protection (256 character) and upload to backup site.
     
  13. bmugford

    bmugford www.DataCube.com PRO VIP ICA Member ★★★★★★★★★★

    Posts:
    14,147
    Likes Received:
    27,255
    Well, they also appeared to be storing VPN information related to Anonymize.com which was easily trackable back to third parties. It kind of defeats the purpose of a VPN.

    Brad
     
  14. tonyk2000

    tonyk2000 Top Contributor VIP ★★★★★★★★★★

    Posts:
    2,466
    Likes Received:
    4,418
    As per one of twits:

    There are entries in the LOGS tables that contain security questions and answers in plain-text, attached to each transaction the user made with Epik.

    (Screenshot attached: city born, school name etc.)

    I tried to find this section inside my epik account (an old dormant account with no domains, if that matters). Cannot find it anywhere. Yeah, I can change password and/or setup or change 2FA - thats all. No security questions section. Where is it this section located? Can anybody confirm please?
     
    Last edited: Sep 21, 2021
  15. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,205
    Likes Received:
    4,245
    The lapses in security were reportedly brought directly to his attention on multiple occasions, including once by me. He was made aware that his team wasn't doing their job and does not appear to have reacted appropriately.

    As an industry, we need to make it clear that ignorance is not an excuse for such poor security practices. If you are being repeatedly informed that there are security issues, and you proceed to cut off communication once you're told that, you're no longer acting in good faith.
     
    Last edited: Sep 21, 2021
  16. oldtimer

    oldtimer Do some good for humanity and the environment VIP ★★★★★★★★★★

    Posts:
    3,820
    Likes Received:
    5,663
    Here is what Rob told me about front running:

    "The practice is called front-running. Registrars should not allow it. I am not sure why some registrars allow their staff to run a tail on customer domain search activity but I am sure that it happens. There are too many anecdotal stories of it happening.

    Anyway, at Epik, I am sure this does not happen. ...."

    https://www.namepros.com/threads/ho...rar-and-their-employees.1123993/#post-7111599
     
  17. bmugford

    bmugford www.DataCube.com PRO VIP ICA Member ★★★★★★★★★★

    Posts:
    14,147
    Likes Received:
    27,255
    Absolutely no excuse for that, if true. This data could easily be used when it comes to social engineering.

    This is what happens when marketing meets reality.

    This is not an issue about "haters". It is an issue with a company failing to do the bare minimum to secure their customer's data properly.

    Brad
     
    Last edited: Sep 21, 2021
  18. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    I can't confirm.
    Probably, outdated leak.
     
  19. tonyk2000

    tonyk2000 Top Contributor VIP ★★★★★★★★★★

    Posts:
    2,466
    Likes Received:
    4,418
    OK. In any case, it makes sense to update all security questions in all other places, both domain-related and not. As well as emails and passwords. Since it would not harm anyway, we should probably thank Epik for forcing us to make our external accounts more secure.
     
  20. Chris Hydrick

    Chris Hydrick Account Closed (Requested) VIP

    Posts:
    6,304
    Likes Received:
    9,805
    The new sign on switched to federatedidentity some time ago. I don't recall having to input security questions/answers at that point.

    When I set up my epik account, I don't recall (not saying I didn't enter it, just saying I don' recall) entering security questions/passwords. An outdated leak seems likely to me.

    Still, if confirmed, losing security questions/answers (even if limited to a small subset of customers) could be a major security concern to anyone effected.
     
    Last edited: Sep 21, 2021
  21. jmcc

    jmcc Top Contributor VIP ★★★★★★★★★★

    Posts:
    1,996
    Likes Received:
    2,489
    Some of the more recent cases of front running (since it became an issue) may be down to domainers using software that queries the nameservers to see if a domain name is registered rather than querying the WHOIS server. The nameservers query is not necessarily proof that a domain name is not registered because each TLD has a number of domain names that have no nameservers but are registered. (The pending-delete domain names would be the best example.)

    Regards...jmcc
     
    Last edited: Sep 21, 2021
  22. tonyk2000

    tonyk2000 Top Contributor VIP ★★★★★★★★★★

    Posts:
    2,466
    Likes Received:
    4,418
    Actually, I am _almost_ sure that I was never asked to enter security questions / answers on Epik. I'm trying to use random questions and answers anyway, but I see no references to epik questions-answers in my "passwords collection"...
     
  23. jmcc

    jmcc Top Contributor VIP ★★★★★★★★★★

    Posts:
    1,996
    Likes Received:
    2,489
    Someone posted a list of TLD extensions and domain name counts on Twitter. The problem was that there were Digital Towns domain names in that count for some NGTs (.BOSTON) being one of them. The problem was that the the .BOSTON count was around 17K whereas the active .BOSTON count is currently around 3K6. The list may have contained current and deleted domain names. Not sure if these were domain names added to the cart or a table of domain names that had been registered via Epik. The correlation of some of the numbers quoted for Epik with numbers from reliable sources is also a problem.

    Regards...jmcc
     
  24. Chris Hydrick

    Chris Hydrick Account Closed (Requested) VIP

    Posts:
    6,304
    Likes Received:
    9,805
    uhhhh... what am I looking at?



    Is this a Nothingburger? Or does @Rob Monster need to patch this unstoppable.epik link ASAP?
     
    Last edited: Sep 21, 2021
  25. .X.

    .X. In God I Trust VIP ★★★★★★★★★★

    Posts:
    17,111
    Likes Received:
    21,599
    I have always used 2 step auth .. .. I have used 2 step on all my logins for sites that have it .. a site sending a number either email or preferably text is what I like .. Epik sends txt to my phone .. but in a hack situation .. 2 step auth doesn’t matter as far as info the hacker gets

    Criminals keep up with their technology well and it seems no matter what kind of obstacles they face .. they always figure out and exploit the technology..
     

Want to reply or ask your own question?

It only takes a minute to sign up – and it's free!
Topics / Tags:
biix
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...