alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[tonyk2000]

Oh, yeah, I'm pretty sure this has been discussed already but I found some notes in one of the tables that said not to tell certain customers about some subpoenas that Epik had received. Looks like Epik handed some data over to the FBI and didn't want the customers finding out about it.

It is likely not about whether Epik wanted to do so or no. They should have been instructed "not to tell the customers" by the same authorities.

 

[oldtimer]

I mean, the only real reason a website would be suspended is either a legal or TOS issue really.

Private companies like registrars, hosts, etc. can largely set their own TOS.

GoDaddy gave the Texas right to life whistleblower website the boot for doxxing reasons. They were attempting to collect and store private 3rd party information, including medical records. That violated GoDaddy's TOS (and maybe the law).

Epik then told them they would not allow that website either. It is a violation of their TOS.

Private companies largely decide where the line is when it comes to deciding who they do business with.

Brad

So what's the difference between Epik and Godaddy,

They both do business with some controversial and less than desirable customers in one way or another.

If we are going to set some rules and standards as to whom could or should be booted out then why not have a uniform policy across the board that deals with all the different kinds of controversial and undesirable customers the same no matter which company they use.

IMO

 

[FiniteCrystal]

It is likely not about whether Epik wanted to do so or no. They should have been instructed "not to tell the customers" by the same authorities.

I am not a lawyer, but I don't think a subpoena can legally prevent you from notifying a relevant party about a subpoena. Some companies have confidentiality contracts wherein the subpoena'd party is required to notify the company so they can challenge the subpoena in court. They can probably politely ask, but I don't think they can enforce it.

 

[johnn]

I think the number one thing that people mixed up here is Rob and Epik.
Rob may be a nice guy but he ran a lousy business.
I can't believe this is 2021 and he still save data in plain text (may be he does not know). I thought Visa/Mastercard requires all vendor must store the data encrypted.
There is no excuses for this and the number one problem with him is he mixed business with politic.

 

[bmugford]

So what's the difference between Epik and Godaddy,

They both do business with some controversial and less than desirable customers in one way or another.

If we are going to set some rules and standards as to whom could or should be booted out then why not have a uniform policy across the board that deals with all the different kinds of controversial and undesirable customers the same no matter which company they use.

IMO

The difference is they are different companies with a different TOS.
On one occasion they both agreed with the same decision.

There is no uniform policy. That is not how it works with private companies.

If I have a BBQ on my property, I can set any terms I want. That is largely the same for a company as well.

Epik has kind of gone out of their way to court a lot of these people.

Look you have the right to be an objectionable asshole to a point, but you don't have the right to do some of the stuff people were doing. There have been examples of doxxing, threats, intimidation, already listed in this thread and on Twitter.

Brad

 

[bmugford]

I am not a lawyer, but I don't think a subpoena can legally prevent you from notifying a relevant party about a subpoena. Some companies have confidentiality contracts wherein the subpoena'd party is required to notify the company so they can challenge the subpoena in court. They can probably politely ask, but I don't think they can enforce it.

They can if it is sealed.

If it was sealed and the information is out there I doubt the investigators are going to be too pleased.

It is certainly not that uncommon for investigations to subpoena information from 3rd parties. If they had to disclose that under every situation, it could really impede their investigations.

There are very valid reasons for this as well. There are times where you do not want to tip off the other party for any number of reasons.

Brad

 

[oldtimer]

I'm just giving my honest opinions on Monster's horrible business decisions.

Probably better to use his full name. (just my opinion)

 

[FiniteCrystal]

There is no excuses for this and the number one problem with him is he mixed business with politic.

I don't think mixing business with politics is always a problem. It helps if your politics aren't shit. If I make a co-op domain registrar does that count as mixing business with politics? Asking for a friend.

 

[oldtimer]

The difference is they are different companies with a different TOS.
On one occasion they both agreed with the same decision.

There is no uniform policy. That is not how it works with private companies.

If I have a BBQ on my property, I can set any terms I want. That is largely the same for a company as well.

Epik has kind of gone out of their way to court a lot of these people.

Look you have the right to be an objectionable asshole to a point, but you don't have the right to do some of the stuff people where doing. There have been examples of doxxing, threats, intimidation, already listed in this thread and on Twitter.

Brad

So perhaps the fact that there is not a uniform policy across the board is the real problem here that needs to be addressed and solved.

There are hundreds of controversial issues and even more controversial groups and unless there is some kind of a uniform policy to deal with them there are going to be other disasters happening in the future.

No matter what happens to Epik, this won't be the end of this when it comes to all the controversial groups that are out there.

The laws have to be strengthened to deal with extremism same as they are dealing with terrorism.

We can't rely on a company's TOS to deal with terrorist and for the same reasons we should not rely on it to deal with Far Right and Far Left extremist groups who want to cause harm to others.

IMO

 

[jmcc]

I don't think mixing business with politics is always a problem. It helps if your politics aren't shit. If I make a co-op domain registrar does that count as mixing business with politics? Asking for a friend.

Already been done in the Domaining industry where it became more cost-effective to pool resources to get cheaper registration and renewal fees. There's also a .COOP gTLD for cooperatives:
https://store.domains.coop/

Regards...jmcc

 

[jmcc]

So perhaps the fact that there is not a uniform policy across the board is the real problem here that needs to be addressed and solved.

ICANN really doesn't want to get into the content side of the domain name business. It would cause all sorts of legal problems for it. The gTLDs also have to operate in a global market. With some of the new gTLDs from the 2012 round, there were objections to some gTLDs on religions or political grounds. The only uniform policies tend to deal with issues that are illegal in every jurisdiction.

Regards...jmcc

 

[bmugford]

So perhaps the fact that there is not a uniform policy across the board is the real problem here that needs to be addressed and solved.

There are hundreds of controversial issues and even more controversial groups and unless there is some kind of a uniform policy to deal with them there are going to be other disasters happening in the future.

No matter what happens to Epik, this won't be the end of this when it comes to all the controversial groups that are out there.

The laws have to be strengthened to deal with extremism same as they are dealing with terrorism.

We can't rely on a company's TOS to deal with terrorist and for the same reasons we should not rely on it to deal with Far Right and Far Left extremist groups who want to cause harm to others.

IMO

A uniform policy on what exactly? Private companies have rights, in general, to decide who they do business with. What are you going to force a host to host some content they find morally reprehensible? That really doesn't make sense.

A web host might decide to not host content for moral, ethical, security, legal, or other reasons. You are not going to be able to force a private company to host content they don't want to.

99.99% of people have absolutely no issue finding hosting for their websites. It is a very tiny percentage of people with the issues, for obvious reasons.

Brad

 

[tonyk2000]

I am not a lawyer, but I don't think a subpoena can legally prevent you from notifying a relevant party about a subpoena. Some companies have confidentiality contracts wherein the subpoena'd party is required to notify the company so they can challenge the subpoena in court. They can probably politely ask, but I don't think they can enforce it.

https://en.wikipedia.org/wiki/Gag_order

 

[FiniteCrystal]

[snip]

I see, there could have been a gag order if it was a national security letter. That's interesting, and actually does make sense here.

 

[Paul]

Monster's behaviour, both historical and current, actually has a lot to do with the hack. If Monster didn't try to cut out a niche for himself as "the guy who will sell literally (almost) anyone a domain", pulling marketing stunts like running Nazi websites, Epik wouldn't have attracted so many unsavory customers, thus hacktivists wouldn't have broken into their system. If he wasn't so arrogant and clueless about security his data wouldn't have been stored in such an insecure way (or at all, most of this stuff they did not need!) If they had patched their systems they might not have even gotten hacked. Did you miss the part where they probably failed to notify anyone that they were investigating a potential breach in 2020? Nobody is trying to defame your friend, they're criticizing him for making so many poor life choices and business decisions.

Although we're being a bit lenient with newer members in this thread, we've asked previously that the political side of this not be the center of focus because it's already been hashed out in several other threads over the years. This is a small industry, and everyone knows where everyone else stands, so there's not much point. As much as we love to be backseat lawyers, philosophers, and ethicists, we are not. Rob's character and Epik's business practices have long been divisive within our industry, even before he was in the public spotlight. While those discussions are important and ought to take place beyond the realm of domaining, they've already happened here.

We're just beating a dead horse at this point, and the only people left standing to discuss it are the vocal minorities on either extreme and the occasional bystander who, to their misfortune, happens to wander into the middle of such debates.

What's new to us is the information about Epik's lapses in security and privacy, as those revelations don't align with their reputation in the industry. Love them or hate them, they were known for (seemingly) caring about such matters, and most of us probably didn't expect this. It's not surprising that they got hacked; what's surprising is how poor their security practices were in general.

 

[bmugford]

I saw an article about this on Business Insider earlier today -

https://www.businessinsider.com/epik-hack-reveals-proud-boys-qanon-backers-names-addresses-2021-9

 

[FernandoBMS]

As we are mentioning lawyers, from Rob Monster's Q&A:

"High Fidelity: Is there anything worse than programmers or lawyers, Rob?

Monster: Yeah, I know. We actually try to use lawyers in a productive way. I try to avoid lawyers, but…

Unidentified: [laughing] Everyone tries to avoid lawyers, chief.

Jackson: The lawyers did the SDLC lifecycle, right? They got it all secure? Is that what happened? Or did you actually hire cybersecurity professionals to audit the software? Or can we just expect an underflow or an overflow or something, and you know, RCE on the servers.

Monster: I didn’t catch that. I don’t understand the question.

Jackson: SDLC. Do you know what SDLC is?

Monster: No.

Unidentified: It’s the software development lifecycle.

Monster: Oh, yeah yeah yeah, okay got it.

Jackson: Probably… probably not great.

Monster: So you missed it earlier…

Unidentified: They’re on the waterfall, John.

Monster: Earlier in the call we were talking about, you know, the legacy of the Russian dev team and [crosstalk]

Jackson: [laughing] the Russian dev team, damn."



In the transcript there's links to the explanation of the technical terms if anyone is unfamiliar.

 

[oldtimer]

ICANN really doesn't want to get into the content side of the domain name business. It would cause all sorts of legal problems for it. The gTLDs also have to operate in a global market. With some of the new gTLDs from the 2012 round, there were objections to some gTLDs on religions or political grounds. The only uniform policies tend to deal with issues that are illegal in every jurisdiction.

Regards...jmcc

There is the Uniform Domain Name Dispute Resolution Policy (UDRP) to deal with domain name disputes so why can't there be something like the Uniform Domain Name Misuse and Abuse Resolution Policy where a panel of judges can take a domain or website down once a complaint is filed against the owner and or operator.

One way or another this responsibility has to be taken out of the hands of Registrars, Registries, and hosting companies and the standards have to be made more uniform.

IMO

 

[internext]

Anyone who ever used Epik's Anonymize service to hide dodgy activities has to be experiencing a sense of dread right now.

I just looked and there's anonymizer on 135 of my names. Not to hide Dodgy activities just because I had the default setting set for a while and never really gave it much thought. Can somebody tell me whether there is a reason that I should be having a sense of dread right now specific to anonymizer? Thank you

 

[Paul]

I just looked and there's anonymizer on 135 of my names. Not to hide Dodgy activities just because I had the default setting set for a while and never really gave it much thought. Can somebody tell me whether there is a reason that I should be having a sense of dread right now specific to anonymizer? Thank you

Anonymize and the WHOIS anonymizer service aren't related. Anonymize is Epik's VPN service.

 

[internext]

Thank you, Paul

 

[branding]

Not sure whether this has been mentioned before. I updated my email address on all my domains and my Epik account, right after the hack.

Changing the email through E did not update my email on federated identify. Had to login to FI separately to change it.

People may want to check whether their email on all E's services were actually updated.

 

[branding]

Web host Epik, which was hacked earlier this month, says in a data breach notice filed with the Maine attorney general's office that 110,000 individuals are affected by the breach....

https://apps.web.maine.gov/online/aeviewer/ME/40/68401938-23c3-4279-8bc5-d4782e3cba56.shtml

 

[NicTraders]

Let me repeat for the 3rd time ...



Regards

Hi Lox. What are your reasons for saying this is so important? Thx

 

[Wali Dahot]

Let me repeat for the 3rd time ...



Regards

Why should i delete an email that hasnt been compromised? Pwned doesnt mean its compromised, its just leaked to the wrong people. I used separate passwords for all my accounts and now I even have subscribed for a password manager to make passwords unique and harder to guess.

Using same credit card is however dumb so I have closed that.