As an industry, we need to make it clear that ignorance is not an excuse for such poor security practices.
He is not excused for his lack of technical expertise. He needs to recognize it's his biggest weakness and hire someone competent. You should be reporting actual security issues and bugs directly to the CTO if the CEO doesn't understand the issues. I'm blessed with enough technical knowledge that I actually understand bug and exploit reports. I know which ones to dismiss and which ones to take seriously. I am unsure if Rob knows the difference.
There are entries in the LOGS tables that contain security questions and answers in plain-text, attached to each transaction the user made with Epik.
I always make up nonsense answers to these security questions. All that favorite crap is junk. My answer to my favorite car is "Keyboard" as an example. And I change them on every site. Security questions are absolutely terrible. I don't even think Epik uses those anymore. One site being compromised should NEVER put other credentials at risk. Every single site and service must have unique security credentials. Trusting that a site has good security is a bad decision.
can't believe some people here are still the "THIS IS FINE." dog?
While it's not fine, it's not a reason to panic imho.
"since the leaked code is patched,
did our attackers maintain a foothold throughout the fix process?
did they manage to craft a payload that slips past the broken regex on the result page?
or did they breach through some other means?"
And that's the nightmare for a sysadmin. That nagging question of how deep does it go. Out of paranoia I have rebuilt my entire system from scratch because of a perceived breach. A total pain in the ass if you run multiple systems. On a scale of services that Epik offers it could take months to fully complete the work. You have to start by partitioning everything away from each other, basically removing integrations some of which could be critical. Then you have to map out which servers to rebuild from the ground up. Almost surely you do brand new hardware too just in case. What a nightmare it can be. But it's only way to be 100% sure.
37 hours of my time … life time … digging the whole thing in and out just to be sure that—— there is nothing …
Oh then definitely you're due at least $1m USD. Get a lawyer right away. btw you owe me about $1800 for this reply which took my time.