alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Altetra]

Why is it that we have the same commenters going on and on and on and on and on and on with hammering Epik on this, and pushing that people get away from them? How many comments have the same people done in this one thread?

This behavior would/should under normal circumstances be labelled as trolling, yet nobody says a word about it. It is identical to what the corrupted media does against Epik. I wonder if this is deliberate, or if they simply don't realize the excessive obsessiveness of what they are doing?

This is because most of those who comment against Epik are Agents of other registrars, and for them is a plus what happens, I would not exclude them to be involved in the hack, as I asket a registrar in feedback before this hack "what you will do now that Epik has best prices and support on the marked" well it can be who knows, nothing is a coincidence.

 

[bmugford]

Good points,

There are mainly two reasons for this:

Money

and

Politics

When it comes to money you have to realize that there might be hidden loyalties and alliances behind the scenes between some domainers and other registrars that see this as an opportunity to take one of their competitors out and perhaps take over some of their customers.

And as far as politics go, well we all know that some people seem to have an ideological vendetta against Epik that has been going on for a long time and rightly or wrongly they see this as an opportunity to vent some of their frustrations.

The only way to have a positive ending to this situation is to use this opportunity to bring some reforms to Epik and to the domain Industry at large (perhaps even to NamePros too).

IMO

Again, politics aside this appears to just be some really shitty cybersecurity.

- Storing stuff like credit cards, passwords, etc. in plain text.
- Using internal passwords like "123"
- Ignoring warnings about potential for security breaches.
- Data breach includes subpoenas and grand jury information involving ongoing investigations.
- Initially downplaying the seriousness of the hack.

and much more...

Instead of the classic ignore, deflect, blame others Epik is going to be forced to take responsibility for this one, especially when it now involves data linked to 3rd parties that had nothing to do with Epik.

All you have to do is go on Twitter in the last day and see countless people talking about being caught up in this data breach, and having no idea who Epik is.

They are also going to have to answer to major credit card companies on why payment information was stored in plain text.

Brad

 

[oldtimer]

Again, politics aside this appears to just be some really shitty cybersecurity.

- Storing stuff like credit cards, passwords, etc. in plain text.
- Using internal passwords like "123"
- Ignoring warnings about potential for security breaches.
- Data breach includes subpoenas and grand jury information involving ongoing investigations.
- Initially downplaying the seriousness of the hack.

and much more...

Instead of the classic ignore, deflect, blame others Epik is going to be forced to take responsibility for this one, especially when it now involves data linked to 3rd parties that had nothing to do with Epik.

The are also going to have to answer to major credit card companies on why payment information was stored in plain text.

Brad

All Good points,

Although at some point everyone has to decide whether they want to see some reforms at Epik (and the domain Industry at large) or whether they are out for blood and want to destroy.

If the objective is to bring about some reforms then the discussions have to take a different direction.

IMO

 

[bmugford]

All Good points,

Although at some point everyone has to decide whether they want to see some reforms at Epik (and the domain Industry at large) or whether they are out for blood and want to destroy.

If the objective is to bring about some reforms then the discussions have to take a different direction.

IMO

Yeah, and that point is a long way away. Epik is going to be dealing with the fallout from this for a long time.

They have barely even given much of an update on what actually happened, how it happened, what customers are supposed to do, etc.

They have a lot of explaining and damage control to do regarding how this situation happened until they can even worry about rebuilding their brand.

Brad

 

[bmugford]

Lots of posts on Twitter just like this -


jonathanwthomas
@jonathanwthomas

5m
So, this is nice. A company I’ve never done business with, and would never do business with, has my personal information on file and it was just unveiled in a massive hack. Great. Epik clearly does not care about anyone’s privacy. Time for data protection orgs to be notified.

Richard Hay
@WinObs
·
10m
I was notified this weekend that my data was in this breach. I've never done business with Epik. Why am I part of this? Because they scraped the WHOIS database and saved that data on their servers. It is time for Domain Privacy to no longer be an up charge by registrars!

This data breach involves millions of people's information that have never done business with Epik, due to them scraping WHOIS.

Brad

 

[bmugford]

Elliot Silver
@DInvesting
·
50m
In addition to non-customers, some people who won domain name auctions at NameJet / Snapnames had domain names automatically pushed to Epik accounts they may not have had otherwise.

 

[Mister Funsky]

A company I’ve never done business with, and would never do business with, has my personal information on file

I've seen a few posts/twits like this but how is it possible Epik would have ANY personal info of someone they did not do business with 'on file'?

I'm asking a serious question...obviously (if what the person says it true) they at some point signed up for something on Epik or one of its subsidiaries...if not, it just means they are another lonely troll looking for attention.

 

[bmugford]

I've seen a few posts/twits like this but how is it possible Epik would have ANY personal info of someone they did not do business with 'on file'?

I'm asking a serious question...obviously (if what the person says it true) they at some point signed up for something on Epik or one of its subsidiaries...if not, it just means they are another lonely troll looking for attention.

Scraping WHOIS information. As far as I know it contains info like name, email, address, etc. It is certainly not as bad as the customer information that was breached.

Compromised accounts: 15,003,961

Epik does not have anywhere close to 15M customers.

Brad

 

[oldtimer]

No doubt that Epik needs to be held accountable,

But at the end of the day, people still have to decide which direction they want this thread to take:

To Reform

or

To Destroy

IMO

 

[Windoms]

No doubt that Epik needs to be held accountable,

But at the end of the day, people still have to decide which direction they want this thread to take:

To Reform

or

To Destroy

IMO

Sorry but its over.

There's no reform.
Name is destroyed. Do you read whats being said online.
"a very bad registrar that hosts nazis was targeted by anonymous the heros and all their data got leaked".

Reputation is destroyed.
No one wants their domain at a registrar which is targeted by hackers and government agencies of all sorts because of their practice (being a haven for undesirable websites).

Had it been a very large and established company, some straightforward PR and security measures would have mitigated the damage, given their are not dealing with undesirable websites (thats why GD kicks them out).

Epik, being a small company, is done.
Sorry, but there's no way out of this.

Banned by paypal, banned by afternic, most domainers had already left them before this.
Now its everyone, think about those running a business on a domain, think you're gonna risk losing your business through this MASSIVE breach.

Done. You cant mitigate this, the factors pushing against a small company are too great.

 

[bmugford]

No doubt that Epik needs to be held accountable,

But at the end of the day, people still have to decide which direction they want this thread to take:

To Reform

or

To Destroy

IMO

No, all that matters at this moment is Epik taking accountability and doing what they can to mitigate further damage. They need to protect their customer's information and make anyone whole who suffered damages due to their lack of cybersecurity.

We need to know clearly what happened, how it happened, and what steps Epik is taking to fix it and compensate customers for any damages that might be incurred.

If after all this stuff they can rebound, then whatever, but at this point the priority is the customers who have had their data exposed through no fault of their own.

Brad

 

[oldtimer]

No, all that matters at this moment is Epik taking accountability and doing what they can to mitigate further damage. They need to protect their customer's information and make anyone whole who suffered damages due to their lack of cybersecurity.

We need to know clearly what happened, how it happened, and what steps Epik is taking to fix it and compensate customers for any damages that might be incurred.

If after all this stuff they can rebound, then whatever, but at this point the priority is the customers who have had their data exposed through no fault of their own.

Brad

of course "To Reform" starts with taking all the steps that you and others have mentioned so far, but the question is do you want to pull the plug on Epik right now (as some people seem to want to do) or do you want to give them a chance to do the right thing and own up to this situation.

IMO

 

[CraigD]

Elliot Silver
@DInvesting
·
50m
In addition to non-customers, some people who won domain name auctions at NameJet / Snapnames had domain names automatically pushed to Epik accounts they may not have had otherwise.

Also, some NP domainers will only push auctioned domains from one Epik account to another.

 

[bmugford]

of course "To Reform" starts with taking all the steps that you and others have mentioned so far, but the question is do you want to pull the plug on Epik right now (as some people seem to want to do) or do you want to give them a chance to do the right thing and own up to this situation.

IMO

I don't really care. It is not my responsibility to worry about the company of Epik.

I care about as much for Epik when they leak my information as I do for Verizon when they leak my information.

(I am not even sure how I ended up with an Epik account in the first place. It is not like it is something I proactively did. I think it might have been involving some domains I won at auction or purchased from InTrust Domains years ago, before Epik acquired them.)

What matters is the potential damage that has been done to customers, and unrelated 3rd parties.

The ball is in Epik's court to keep people informed and fix it. It is no one else's responsibility.

We still have hardly anything on what actually happened and how it happened.

Brad

 

[johnn]

Why do you want to give them a chance when you run a business and they screwed up with your data and messed up your life?
Do they seem to care?

 

[Jurgen Wolf]

Hackers are just outcome.
Roots/Reasons are their toxic lifestyle and pseudosecurity.

 

[jmcc]

That WHOIS issue is going to bring a lot of attention. It is a major topic within ICANN circles.

Regards...jmcc

 

[oldtimer]

Why do you want to give them a chance when you run a business and they screwed up with your data and messed up your life?
Do they seem to care?

Because I want to remain fair and unbiased and not let my personal feelings affect my judgment.

I would give a chance to anyone who wants to reform their old ways.

IMO

 

[Jurgen Wolf]

Why do you want to give them a chance when you run a business and they screwed up with your data and messed up your life?
Do they seem to care?

It was already discovered and called: Stockholm syndrome.

 

[bmugford]

That WHOIS issue is going to bring a lot of attention. It is a major topic within ICANN circles.

Regards...jmcc

Yes, eventually ICANN might have something to say about this.

I am not sure of what, if any, potential ICANN policies might have been in play here when it comes to scraping, storing, and protecting WHOIS information. I am also not sure how GDPR might come into play with this data.

Brad