alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Truespin Domains]

https://haveibeenpwned.com/

Email not showing, so hopefully as I only registered on the 16th maybe I'm safe. Though I had to provide identity documents for escrow security - so who knows if they lost the files too.

 

[.X.]

https://haveibeenpwned.com/

it tells me .. Oh No .. You’ve been pwned 4 times! lol

No question the site works for sure ..

I am becoming a pwned favorite lol

 

[Paul]

You should be reporting actual security issues and bugs directly to the CTO if the CEO doesn't understand the issues

I reported it both to Rob and to the developer in charge of the relevant project. Rob reached out to me with a request; when I brought up a related security issue and cc'd the developer, he stopped responding. The details are earlier in this thread.

You can't be marketing yourself as the pinnacle of security and privacy in the domaining industry--"The Swiss Bank of Domains"--if you don't understand what that means; it's just not acceptable, and we should be demanding better.

At the end of the day, it doesn't matter whether he was deliberately ignoring security or just naïve: his customers will be suffering the consequences of his (in)actions regardless. He pitched himself as an innovator in privacy and security, yet here we are.

If you're pitching yourself as a shield for the persecuted, protecting their freedom of speech, you'd better not be storing such verbose PII in this manner. That's not to say you can't store it, but it can't be sitting in the clear in your backups alongside the rest of your data.

Trust is hard-won and easily lost. While I'm sure Epik will continue to have a loyal following, it's going to be hard to regain the trust lost during this incident.

I registered on 16th March. Does that mean I'm safe?

Nobody knows. The attacker only released data up to around the end of February, but there are clear indications that some data was withheld prior to the public release. We don't know what's circulating in private circles or what the attacker may have kept for themselves.

 

[blockhead]

Email not showing, so hopefully as I only registered on the 16th maybe I'm safe. Though I had to provide identity documents for escrow security - so who knows if they lost the files too.

Lots of unknowns. Their site seems to be so full of security issues, who knows what else could be compromised that hasn't been made public yet. If I were you, I'd play it safe and at least change your password/s. Personally, I have zero faith that this is the only breach to date or that they're capable of preventing further breaches. They seem like a bunch of amateurs from everything we know. Hackers are likely to be emboldened now, and so much has come to light now that this information can likely be used to find or exploit other vulnerabilities.

 

[tonyk2000]

Lots of unknowns.

I'd list another one: how many competing hackers might (or still may) be inside?

 

[Chris Hydrick]

I brought up a related security issue and cc'd the developer, he stopped responding. The details are earlier in this thread.

Here

While I'm generally willing to give Epik and Rob the benefit of the doubt, this tweet in particular does not sit well with me:
Show attachment 199509

I reported a vulnerability both to Rob and the responsible developer on February 19, 2020. Neither responded (full size image for legibility):

Show attachment 199507

I understand that it can be difficult to find good developers. I also understand that it can be even more difficult to find good security professionals. That's why I go out of my way to report vulnerabilities and offer my input when it can help people. I believe all security professionals have an ethical responsibility to report vulnerabilities when they become aware of them, and I was willing to do that in this scenario even if it compromised revenue for NamePros.

I certainly hope Epik has learned from this and will take such reports more seriously in the future.

Also, @Rob Monster might want to recall the below quote and start preparing a better/more accessible bug bounty initiative pronto!

Bug bounty programs are quite effective, actually, but they usually need to be live for more than a day to work their magic.

 

[Windoms]

It's in the Washington Post.

https://www.washingtonpost.com/technology/2021/09/21/epik-far-right-hack-anonymous/

If you dont have an account, seems like this one is the same.

www.seattletimes.com/nation-world/huge-hack-reveals-embarrassing-details-of-whos-behind-proud-boys-and-other-far-right-websites/

 

[bmugford]

You can't be marketing yourself as the pinnacle of security and privacy in the domaining industry--"The Swiss Bank of Domains"--if you don't understand what that means; it's just not acceptable, and we should be demanding better.

At the end of the day, it doesn't matter whether he was deliberately ignoring security or just naïve: his customers will be suffering the consequences of his (in)actions regardless. He pitched himself as an innovator in privacy and security, yet here we are.

If you're pitching yourself as a shield for the persecuted, protecting their freedom of speech, you'd better not be storing such verbose PII in this manner. That's not to say you can't store it, but it can't be sitting in the clear in your backups alongside the rest of your data.

Using old code, running software with vulnerabilities, ignoring warnings, storing sensitive information like passwords in plain text, storing credit card info including CVV codes, storing VPN files that easily allowed them to be tracked back to users...and more.

Yeah, it sure seems like it was amateur hour there at least when it came to cybersecurity.

Brad

 

[Chris Hydrick]

"...Even these text messages are being sent using anonymous text spoofing software"...

In case anybody is still buying domains in the midst of this, one might want to consider @NameYourself's 24-hour nP sale that includes TextSpoof(.) com for only $37 BIN!!

https://www.namepros.com/threads/50-top-domains-oil-industry-com-37-each.1252702/

Reference:

https://twitter.com/x/status/1440410039798304776

 

[Windoms]

https://www.washingtonpost.com/technology/2021/09/21/epik-far-right-hack-anonymous/

"The files include years of website purchase records, internal company emails and customer account credentials revealing who administers some of the biggest far-right websites. The data includes client names, home addresses, email addresses, phone numbers and passwords left in plain, readable text. The hack even exposed the personal records from Anonymize, a privacy service Epik offered to customers wanting to conceal their identity.

Similar failings by other hacked companies have drawn scrutiny from the Federal Trade Commission, which has probed companies such as dating site Ashley Madison for failing to protect their customers’ private data from hackers. FTC investigations have resulted in settlements imposing financial penalties and more rigorous privacy standards.

“Given Epik’s boasts about security, and the scope of its web hosting, I would think it would be an FTC target, especially if the company was warned but failed to take protective action,” said David Vladeck, a former head of the FTC’s consumer protection bureau, now at Georgetown University Law Center. “I would add that the FTC wouldn’t care about the content — right wing or left wing; the questions would be the possible magnitude and impact of the breach and the representations . . . the company may have made about security.” "

 

[.X.]

If you dont have an account, seems like this one is the same.

www.seattletimes.com/nation-world/huge-hack-reveals-embarrassing-details-of-whos-behind-proud-boys-and-other-far-right-websites/

Quick question … the people who are apart of .. or affiliated with these websites … do you think they don’t want to be known to run or be affiliated with these sites ???

For those who feel these people don’t want to be known to be affiliated with these sites .. why ???

 

[Chris Hydrick]

ATTN: People of Twitter

If Emily G had purchased robmonsterenablesnazis.com at Epik, and if @Rob Monster confiscated that domain, as @namesilo exercised their registrar right to confiscate BreonnaTaylor.com see official comment from namesilo HERE, then this would not breach the registry code of conduct for front-running.

To be considered frontrunning, I believe the domain has to be purchased by the registrar before the customer who searched their system for availability. Main difference here, it looks to be a confiscated domain, not a front run purchase. As to what specific grounds was the domain confiscated, I don't know. Maybe a clause where the CEO felt he was being harassed and his name was going to be used in bad faith? Not sure which term or violation that would fall under.

https://twitter.com/x/status/1440367033837776896

Reference the alleged purchase:

https://twitter.com/x/status/1438567055637233669

 

[Chris Hydrick]

Shout out to the well aged @jberryhill retweet re @NickLim // Ron Watkins

https://twitter.com/x/status/1440402839889539081

 

[.X.]

ATTN: People of Twitter

If Emily G had purchased robmonsterenablesnazis.com at Epik, and if @Rob Monster confiscated that domain, as @namesilo exercised their registrar right to confiscate BreonnaTaylor.com see official comment from namesilo HERE, then this would not breach the registry code of conduct for front-running.

To be considered frontrunning, I believe the domain has to be purchased by the registrar before the customer who searched their system for availability. Main difference here, it looks to be a confiscated domain, not a front run purchase. As to what specific grounds was the domain confiscated, I don't know. Maybe a clause where the CEO felt he was being harassed and his name was going to be used in bad faith? Not sure which term or violation that would fall under.

https://twitter.com/x/status/1440367033837776896

Reference the alleged purchase:

https://twitter.com/x/status/1438567055637233669

I read down some of Emily G posts and replies .. so the hack could be having something to do with beefing between the proud boys and antifa ??? I am still trying to wrap my head around who was the target or targets ..

 

[.X.]

Shout out to the well aged @jberryhill retweet re @NickLim // Ron Watkins

https://twitter.com/x/status/1440402839889539081

hmmm .. ok .. keep posting up names .. so far .. proud boys .. QAnon .. 8chan.. .. who is the swastika zoom dude affiliated with ?? Or is he solo ??

 

[Chris Hydrick]

hmmm .. ok .. keep posting up names .. so far .. proud boys .. QAnon .. 8chan.. .. who is the swastika zoom dude affiliated with ?? Or is he solo ??

He's a notorious figure who I first became aware of (and is basically the extent of my knowledge) from a 2014 Vice story re: AT&T. Others here probably know more about him/his connection to epik/this than I do.

https://www.vice.com/en/article/z4m...se-the-government-doesnt-know-what-hacking-is

 

[bmugford]

Quick question … the people who are apart of .. or affiliated with these websites … do you think they don’t want to be known to run or be affiliated with these sites ???

For those who feel these people don’t want to be known to be affiliated with these sites .. why ???

I mean, just one example -

After the Capitol riot, ‘Stop the Steal’ organizer Ali Alexander was scrambling to hide his digital footprint

https://www.dailydot.com/debug/ali-alexander-epik-hack-web-domains-capitol-riot/

Thanks to Epik's poor security, all that stuff is exposed now. He will probably be getting a visit from the FBI soon, if he hasn't already.

Many people like to do shady stuff behind the scenes. There will certainly be some connections people don't appreciate being made public. This is a treasure trove of data for law enforcement as well.

The data will be analyzed by thousands of people and many connections will be made, whether the person likes it or not. You essentially will have an army of independent people crowd sourcing this data to see what they can find.

Brad

 

[tonyk2000]

Even though (as @Lox found) a lot of stuff was edited out from public "release", emails are in.
So, we should expect more phishing attempts.
The following may be helpful to combat phishing:
1) How to get email headers:
https://mxtoolbox.com/Public/Content/EmailHeaders/
2) Understanding An Email Header:
https://mediatemple.net/community/products/dv/204643950/understanding-an-email-header
3) IP address check and extra details:
https://bgp.he.net

 

[.X.]

He's a notorious figure who I first became aware of (and is basically the extent of my knowledge) from a 2014 Vice story re: AT&T. Others here probably know more about him/his connection to epik/this than I do.

https://www.vice.com/en/article/z4m...se-the-government-doesnt-know-what-hacking-is

that fucker is 100% wack … I had read the other article on him as well .. he is way way out there

 

[DN Playbook]

Lots of unknowns. Their site seems to be so full of security issues, who knows what else could be compromised that hasn't been made public yet. If I were you, I'd play it safe and at least change your password/s. Personally, I have zero faith that this is the only breach to date or that they're capable of preventing further breaches. They seem like a bunch of amateurs from everything we know. Hackers are likely to be emboldened now, and so much has come to light now that this information can likely be used to find or exploit other vulnerabilities.

I watched almost the entire 3 hours of Rob's live event in response to the Epik hack on prayermeeting site which was posted to Youtube. Lots of off topic conversations, an appearance by a neo-nazi showing off a swastika tattoo on his chest, Rob breaking out in prayer, during the course of the meeting. But what I gleaned is that Epik/Rob purchased a registrar from another company. This registrar, now Epik, used poorly written code by a Russian developer located in Crimea then Ukraine (after Russia invaded Crimea). This code seems to be still powering Epik, or at least the registrar side. Unless Epik reuses portions of the code, it will be a massive undertaking to rewrite everything from scratch and do it the right way.

 

[.X.]

I mean, just one example -

After the Capitol riot, ‘Stop the Steal’ organizer Ali Alexander was scrambling to hide his digital footprint

https://www.dailydot.com/debug/ali-alexander-epik-hack-web-domains-capitol-riot/

Thanks to Epik's poor security, all that stuff is exposed now. He will probably be getting a visit from the FBI soon, if he hasn't already.

Many people like to do shady stuff behind the scenes. There will certainly be some connections people don't appreciate being made public.

The data will be analyzed by thousands of people and many connections will be made, whether the person likes it or not.

Brad

so this cat has been debting politics for two decades .. I have never seen him before ..but the article kinda makes him out celebrity or high influencer status

 

[bmugford]

Even though (as @Lox found) a lot of stuff was edited out from public "release", emails are in.
So, we should expect more phishing attempts.
The following may be helpful to combat phishing:
1) How to get email headers:
https://mxtoolbox.com/Public/Content/EmailHeaders/
2) Understanding An Email Header:
https://mediatemple.net/community/products/dv/204643950/understanding-an-email-header
3) IP address check and extra details:
https://bgp.he.net

And again, the hackers likely have far more data. Anything they redacted or did not release was their own choice.

It still would not make me real comfortable with my data in the hands of another party, to do with as they please.

Brad

 

[bmugford]

I watched the almost entire 3 hours of Rob's live event in response to the Epik hack on prayermeeting site which was posted to Youtube. Lots of off topic conversations, an appearance by a neo-nazi showing off a swastika tattoo on his chest, Rob breaking out in prayer, during the course of the meeting. But what I gleaned is that Epik/Rob purchased a registrar from another company. This registrar, now Epik, used poorly written code by a Russian developer located in Crimea then Ukraine (after Russia invaded Crimea). This code seems to be still powering Epik, or at least the registrar side. Unless Epik reuses portions of the code, it will be a massive undertaking to rewrite everything from scratch and do it the right way.

I believe we are talking about this, from over a decade ago -

https://domainnamewire.com/2011/07/14/epik-acquires-domain-name-registrar-intrustdomains/

And again we can circle right back to incompetence then. You buy a registrar a decade ago and rely on that old shitty code, while calling yourself the "Swiss bank of domains" and mentioning "innovation".

The marketing does not match the reality.

Brad

 

[DN Playbook]

I believe we are talking about this, from over a decade ago -

https://domainnamewire.com/2011/07/14/epik-acquires-domain-name-registrar-intrustdomains/

And again we can circle right back to incompetence then. You buy a registrar a decade ago and rely on that old shitty code, while calling yourself the "Swiss bank of domains" and mentioning "innovation".

The marketing does not match the reality.

Brad

It is very likely Epik is using PHP 5.x and old server software which is why the hack probably was not difficult. BTW, latest version of PHP is 8. PHP 5.x code will not work on servers running PHP 7 and later. So you have to stick with outdated server software and all the vulnerabilities associated with that and outdated PHP.

 

[branding]

Shout out to the well aged @jberryhill retweet re @NickLim // Ron Watkins

https://twitter.com/x/status/1440402839889539081

Well well... They finally make mention of Nick. All I'm going to say, Epik made a big mistake acquiring BM... Probably didn't look closely into the 'product'.

Some background:
https://www.bloomberg.com/news/feat...have-been-kept-online-by-nick-lim-s-vanwatech