alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[bmugford]

uhhhh... what am I looking at?

https://twitter.com/x/status/1440288818754560006

Is this a Nothingburger? Or does @Rob Monster need to patch this unstoppable.epik link ASAP?

Umm....

 

[tonyk2000]

uhhhh... what am I looking at?

As per Epik email of yesterday:

At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward.

The text does not refer to _all_ services (which may include VPN), just domain-side services.

 

[Chris Hydrick]

https://twitter.com/x/status/1440348528081989639

Looks like epik had inherited a lot of inturst directories, one titled "afternic_sales" might reveal some interesting unpublished domain sales.

 

[Beezy]

I can't believe some people here are still the "THIS IS FINE." dog?

or

Are they Baghdad Bob?

 

[Chris Hydrick]

Allegedly at least one script vulnerability may have been patched earlier this year. Which if true, may prove that epik had at least one person not asleep at the security wheel.

https://twitter.com/x/status/1440010913298399237

 

[.X.]

I can't believe some people here are still the "THIS IS FINE." dog?

Show attachment 199925

or

Are they Baghdad Bob?

Show attachment 199926

I guess it depends on each person .. how much super “Private” information could someone have with domain name register or domain name services ??

 

[branding]

I guess it depends on each person .. how much super “Private” information could someone have with domain name register or domain name services ??

Id + CC.

 

[.X.]

Id + CC.

CC ..Yes .. ID not so much .. unless it’s drivers license with number .. and even that has very easy tracking if someone decides to use the number … so many free services to alert a person .. Google offers a lot of that .

 

[Chris Hydrick]

This is an interesting (several tweets long || note: I didn't include all connected tweets) string that is just above my pay grade.

Anybody want to provide a tl;dr explanation?

https://twitter.com/x/status/1439077322095742981

...

https://twitter.com/x/status/1439129053366206464

...

https://twitter.com/x/status/1439168369551421444

 

[Lox]

"Negligence to protect your information by the company may face a lawsuit for the damages incurred."

What damages?

t

37 hours of my time … life time … digging the whole thing in and out just to be sure that—— there is nothing …

… and avoid using the “free speech thing “ to stop my rights to express … by calling me and other ppl - trolls. By looking at the DB doesn’t mean that you have a lot more knowledge / info about the situation and something that happened in the past. Thanks

Regards

 

[bmugford]

37 hours of my time … life time … digging the whole thing in and out just to be sure that—— there is nothing …

… and avoid using the “free speech thing “ to stop my rights to express … by calling me and other ppl - trolls. By looking at the DB doesn’t mean that you have a lot more knowledge / info about the situation and something that happened in the past. Thanks

Regards

The potential damages are not even known yet. These are early days.

The sheer amount of data leaked makes it impossible to know, but from what is known a lot of this stuff could be used in nefarious ways that could inflict direct and indirect actual damages.

Brad

 

[Beezy]

It's in the Washington Post.

https://www.washingtonpost.com/technology/2021/09/21/epik-far-right-hack-anonymous/

 

[tonyk2000]

Anybody want to provide a tl;dr explanation?

While understanding their technical discussion may have some academic interest, the following facts are appearing to be correct:

1) Epik was / is using "in house" developed code (php in particular).

2) This code is now open for anybody to examine.

3) Epik was hacked

So, there may be different vulnerabilities. Simply because the code is in-house. One vulnerability was found today. Somebody else will find another vulnerability tomorrow. In other words, it is extremely dangerous to run their code in production at this time. Imo. What can Epik do? The time will tell...

 

[Lox]

The potential damages are not even known yet. These are early days.

The sheer amount of data leaked makes it impossible to know, but from what is known a lot of this stuff could be used in nefarious ways that could inflict direct and indirect actual damages.

Brad

+ the way how much is the E db leak “reduced” for the public… telling us something…

 

[branding]

CC ..Yes .. ID not so much .. unless it’s drivers license with number .. and even that has very easy tracking if someone decides to use the number … so many free services to alert a person .. Google offers a lot of that .

Well, probably depends what kind of ID yes. I would worry more about a stolen ID than CC details though.

All it takes to do some real damage is an ID matching a compromised account and you're fucked. Once you have an ID it's pretty easy to social engineer the crap out of most support systems.

Haven't seen talk about leaked IDs so let's hope there are none.

 

[tonyk2000]

As a side note, if any online service is asking for an ID and if you MUST provide it - then, at least, add a watermark to it: "For Blah-Blah-Blah .com only". Everything would still be visible 100%, but the watermark _may_ possibly prevent potential successful future hackers from using it. Of course, it is better not to provide IDs at all...

 

[labrocca]

As an industry, we need to make it clear that ignorance is not an excuse for such poor security practices.

He is not excused for his lack of technical expertise. He needs to recognize it's his biggest weakness and hire someone competent. You should be reporting actual security issues and bugs directly to the CTO if the CEO doesn't understand the issues. I'm blessed with enough technical knowledge that I actually understand bug and exploit reports. I know which ones to dismiss and which ones to take seriously. I am unsure if Rob knows the difference.

There are entries in the LOGS tables that contain security questions and answers in plain-text, attached to each transaction the user made with Epik.

I always make up nonsense answers to these security questions. All that favorite crap is junk. My answer to my favorite car is "Keyboard" as an example. And I change them on every site. Security questions are absolutely terrible. I don't even think Epik uses those anymore. One site being compromised should NEVER put other credentials at risk. Every single site and service must have unique security credentials. Trusting that a site has good security is a bad decision.

can't believe some people here are still the "THIS IS FINE." dog?

While it's not fine, it's not a reason to panic imho.

"since the leaked code is patched,
did our attackers maintain a foothold throughout the fix process?
did they manage to craft a payload that slips past the broken regex on the result page?
or did they breach through some other means?"

And that's the nightmare for a sysadmin. That nagging question of how deep does it go. Out of paranoia I have rebuilt my entire system from scratch because of a perceived breach. A total pain in the ass if you run multiple systems. On a scale of services that Epik offers it could take months to fully complete the work. You have to start by partitioning everything away from each other, basically removing integrations some of which could be critical. Then you have to map out which servers to rebuild from the ground up. Almost surely you do brand new hardware too just in case. What a nightmare it can be. But it's only way to be 100% sure.

37 hours of my time … life time … digging the whole thing in and out just to be sure that—— there is nothing …

Oh then definitely you're due at least $1m USD. Get a lawyer right away. btw you owe me about $1800 for this reply which took my time.

 

[johnn]

I can't believe some people are still in love and defend Epik.
This thread is not a review to hate or like a company.
We are talking a Company who is not capable of protecting customer data and did not comply with the laws which led to thousand of customers in danger.
The worse thing is they are too lazy or does not know what to do in this situation and leave the customers in the dark for days.
All they said was spamming with $6.99 promotion and offered prayers.

Wake up people.

Then they claimed that they will offer:
In addition, we will offer free credit monitoring until September 15, 2023, for all affected Epik users; more details on this free service will be made available soon.

Do you dare to give them your personal information so they can monitor for you?

They missed to say that they will store everything in Plain Text for transparency.

What a Joke.

 

[TestCase]

Then they claimed that they will offer:
In addition, we will offer free credit monitoring until September 15, 2023, for all affected Epik users; more details on this free service will be made available soon.

Do you dare to give them your personal information so they can monitor for you?

They missed to say that they will store everything in Plain Text for transparency.

What a Joke.

I'm going to go out on a limb and advance the idea that the monitoring will likely be done by one of the credit monitoring services and NOT by Epik, so it will likely not be in plain text...

 

[Jurgen Wolf]

Don't forget to enable 2FA in Masterbucks panel, it is not linked with Epik 2FA.

 

[Truespin Domains]

Is there anywhere you can see if you were caught up in the hack? Like searching for your email etc?

I don't want to download the entire thing.

 

[bmugford]

Is there anywhere you can see if you were caught up in the hack? Like searching for your email etc?

I don't want to download the entire thing.

https://haveibeenpwned.com/

 

[Jurgen Wolf]

All customers registered up to March'1/2021 are affected, no exceptions.

 

[Truespin Domains]

All customers registered up to March'1/2021 are affected, no exceptions.

I registered on 16th March. Does that mean I'm safe?

 

[Jurgen Wolf]

I registered on 16th March. Does that mean I'm safe?

Until next attack.