alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[karmaco]

I canceled a card that was stored on Epik previously as a safety measure since we aren’t getting details on the extent and likely never will.

This is why the dismissal by PP was so annoying. I don’t like to store my credit cards anywhere else. How is Epik going to ensure going forward that our payment methods and our domains are safe is what I want to know.

 

[johnn]

Overracting? Epik fans should open their eyes for the way they treat the customers.
No posting no update nothing for days the only thing he cares is spamming new registration for $6.99 and praying?

He is not a normal/regular employee, he is the CEO.
Give me a break.

 

[xeroox]

Important observation: a lot of customers, especially non-U.S. based ones, have no interest in U.S. politics at all. Not only this, they do not care about differencies between lets say East Coast and West Coast, Weinstein and Epstein, Republicans and Democrats...
Which is why an IT company, especially if it is providing services worldwide, shout simply stop mixing the business and politics...

And religion

 

[Jurgen Wolf]

When I see "123" and "toor" passwords of admins and even in plain text - I have no comments, Swiss bank of domains.

 

[Bravo Mod Team]

https://twitter.com/x/status/1439708848659464193

https://haveibeenpwned.com/PwnedWebsites#Epik

https://haveibeenpwned.com/

 

[bmugford]

This stuff is all over Twitter now. It just keeps getting worse and worse.

Countless people are wondering how they ended up in a data breach from a company they never even heard of. Many of these comments are in response to emails from "Have I Been Pwned" regarding the hack.

Brad

 

[branding]

Why is it that we have the same commenters going on and on and on and on and on and on with hammering Epik on this, and pushing that people get away from them? How many comments have the same people done in this one thread?

This behavior would/should under normal circumstances be labelled as trolling, yet nobody says a word about it. It is identical to what the corrupted media does against Epik. I wonder if this is deliberate, or if they simply don't realize the excessive obsessiveness of what they are doing?

It has nothing to do with Epik. It's about warning people so they can keep their assets safe. Since communication from E is underwhelming Its only a good thing people keep adding info to this thread.

 

[kite26]

Update and Options for Affected Epik Users

Hello,

We previously notified that on September 15, Epik confirmed a data intrusion involving its customers’ personal information. Though our forensic investigation is still ongoing, we can now confirm additional details of this intrusion.

What happened:
While we continue to investigate, we believe that on or before September 13, 2021, unauthorized third parties accessed a backup copy of Epik’s domain-side service accounts through one or more non-public servers.

What personal information may have been obtained:
Name, address, email address, username, password, phone and VAT number (if given), transaction history, domain ownership, and for a small subset of users, credit card information.

What we are doing:
As previously stated, we have retained multiple cybersecurity partners to investigate the incident, secure our services, help affected users, and notify you, law enforcement, and other relevant authorities. We are continuing to communicate with relevant authorities and other stakeholders as well.

At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward.

In addition, we will offer free credit monitoring until September 15, 2023, for all affected Epik users; more details on this free service will be made available soon.

Additional options for users:
1. Change your Epik password and enable two-factor authentication by visiting: https://www.epik.com/support/knowle...ssword-epik-user-password-when-user-forgot-it

2. Call Epik Toll-Free at 800-510-3282 for further information and assistance.

3. The Federal Trade Commission (FTC) recommends that you place a free fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. This can be done by contacting any one of the three major credit bureaus:

Equifax: equifax.com/personal/credit-report-services or 1-800-685-1111
Experian: experian.com/help or 1-888-397-3742
TransUnion: transunion.com/credit-help or 1-888-909-8872

4. Request a free credit report from each credit bureau after placing a fraud alert on your file. Review these credit reports for any accounts and inquiries you do not recognize, as they may be signs of identity theft. If your personal information has been misused, visit the FTC’s site at IdentityTheft.gov to report the identity theft and obtain recovery steps. Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically so you can spot problems and address them quickly.

5. You may also want to consider placing a free credit freeze on your file. A credit freeze prevents potential creditors from obtaining your credit report, making it less likely for an identity thief to open new accounts in your name. To place a freeze, contact each of the major credit bureaus using the links or phone numbers above. A freeze will remain in place until you ask the credit bureau to temporarily lift or remove it.

6. Visit IdentityTheft.gov/databreach, for additional resources and help to protect yourself from identity theft or call 1-877-438-4338.

7. Learn more about your rights under the Fair Credit Reporting Act here.

8. Contact your local Attorney General or local law enforcement to report suspected identity theft by filing or obtaining a police report.

Thank you for your continued support. We will continue to keep you updated.

 

[Digital Nomad]

Well this take the cake as the most interesting edit of the year.

I had quoted your honey pot comment, but as I was writing the response, I noticed the honey pot text disappeared, and suddenly I was commenting on a post citing NaziMemorabilia.com as being a dildo distributor.

#OnlyOnNamePros

nP should add a LOL button!

 

[tonyk2000]

OnlyOnNamePros... "Investigative journalists" working with mainstream media should definitely read this thread . There are a lot of technically incorrect facts and suggestions in mainstream media now. If any member here is also commenting elsewhere (reddit, etc... ) - please invite the authors to NP. They will learn that a domain registrar is a domain registration company for all sorts of domains/customers, and not a "webhosting company". They will also learn that each IT company has servers in some datacenter (colocation, etc) so trying to find any other connections between epik (with or without ideology) and their colocation provider is illogical. Etc, etc, etc...

 

[Chris Hydrick]

ATTN: People of Twitter

If Emily G had purchased robmonsterenablesnazis.com at Epik, and if @Rob Monster confiscated that domain, as @namesilo exercised their registrar right to confiscate BreonnaTaylor.com see official comment from namesilo HERE, then this would not breach the registry code of conduct for front-running.

To be considered frontrunning, I believe the domain has to be purchased by the registrar before the customer who searched their system for availability. Main difference here, it looks to be a confiscated domain, not a front run purchase. As to what specific grounds was the domain confiscated, I don't know. Maybe a clause where the CEO felt he was being harassed and his name was going to be used in bad faith? Not sure which term or violation that would fall under.

https://twitter.com/x/status/1440367033837776896

Reference the alleged purchase:

https://twitter.com/x/status/1438567055637233669

⚠ RETRACTION ⚠

I have been informed that robmonsterenablesnazis.com was never a confiscated domain. The domain remained in the registrants account for a year, left for non-renewal, and went through the customary grace period. Despite the nature of the domain, free speech prevailed for this domain at epik.


I believe I remember reading namePros members questioning epik's expiration process, with expired domains sometimes automatically set to an epik for sale landing page, and/or WHOIS Information changing away from the registrant and to an @Epik.com email address... (@frank-germany -- you may have reported something of this nature, do you recall?)

If you notice closely, all the "nazi domains" were filed under ForSale@EPIK(.)com, and albeit Robs name (He seems to like putting his name on things like another orange fella) was attached to the WHOIS, the domains never reached rob's personal Epik email account. Thus, possibly explaining how robmonsterenablesnazis.com reached the databae of domains filed under Rob Monster || ForSale@epik/com, through an automated expiration cycle of restributing, and offering expired customer names with an epik for sale landing page // changed WHOIS/DBinfo during the expiration cycle.

This also likely means Rob Monster never actually owned NaziHunt.com (or the other nazi domains), and is therefor possibly not the secret Nazi Hunter we were all hoping for. This would also remove Robs direct connection to owning SexyNazis.com as all these domains were apparently dropped by epik customers, and due to epiks questionable expiration practices, might have been placed under [email protected] upon expiry.

....

DISCLAIMER: Please remember most of the information being posted is raw data, and there is a lot of room for misinterpretation, many times depending on company process/policy/procedures. Research and ask questions, just try and stay away from absolute conclusions until full confirmation, not just high speculation.

https://twitter.com/x/status/1440179980365828104

 

[Shackleton]

Anyone with an account can post here. You are not the Namepros community gatekeeper.

 

[Paul]

I was just saying based on your posting style that I think I know who you are. I think it's odd that you joined under a pseudonym when you already have an account here. You say you feel threatened but your actions are the more aggressive when you join under a secondary account to post about Rob. I don't think that's very nice at all.

We're not going to allow vague accusations like that here. I know it's commonplace on Twitter, but it's not appropriate for NamePros. If you suspect a duplicate account, report it--don't comment about it. Each member is only permitted one free account.

We've been seeing this argument with increasing frequency on NamePros: the other side's arguments and points are invalid because they are bots or puppet accounts. Every time we've investigated such claims, they turned out to be not just unfounded, but verifiably false.

Address the claims within each post, not the person or account behind those claims.

 

[Paul]

Temporarily closing the thread until the moderators catch up.

We don't allow threats on NamePros, including vague, ominous threats of doxxing.

 

[Start]

I felt sick when I searched that and found my info. There needs to be some repercussions from this.

Yeah, this is insane! How foolish can this "researcher" be? He seems like he's the bad stereotype of a computer programmer who has no sense of moral and ethical aspects and responsibilities.

Just because you have the technical capability of doing something doesn't mean that you should. It's bad enough that the info was in the hacked database (but difficult to see info), but it's even worse when this guy purposely puts it into a simple spreadsheet and publicizes it.

He's violating people's privacy by publishing details on (doxxing) every single Epik customer... thousands of innocent people!

And almost 14,000 of the people (out of 24,000) on the list only have 1 domain with Epik. A lot are probably companies/people who simply bought a domain from someone else, and they happened to use Epik's sale system.

To the "researchers" reading this, you need to understand some important points:

As I detailed here:
https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-68#post-8408613

1) Most Epik customers (I would say 99%) are just regular people and companies.

2) Until about early 2019, I don't think Epik really even had any controversies. It was just considered another registrar.

3) People transferred or registered a lot of domains to/with Epik because of the low prices, excellent support, and the useful system they have for selling domains. Those were in place years ago, before the controversies in the past ~2 years.

4) And the #2 guy at Epik (Joseph) for years was actually a somewhat left-wing atheist (opposite of Rob). And I would objectively say that Rob and the staff are pretty nice in general interaction (the staff are also multicultural), so one wouldn't have expected how things went. But after the controversies started in 2019, that's apparently when Joseph left later that year. But a lot of customers already had a lot of domains at Epik by then.

5) And some registrars' control panels make it a hassle and a bit time-consuming to transfer domains out in bulk... and Epik is one of those. They're maybe average on that measure, but I think you have to do them one at a time, and that time adds up. That aspect is why there's a general tendency (at any registrar) for people to keep domains wherever they're already at.
...That's why I can see one example of someone who publicly parted ways with Epik, but still has a lot of domains there. And I even see companies that have had public disputes (over a year ago) with Epik in the list, and yet even they still had domains there as of February.
...For bulk accounts that had the special "Namepros pricing", Epik only got 7cents in profit ($0.07) per .com domain renewal, so it's not like Epik was getting funded by those customers anyway.

6) Most people wouldn't know about Epik's controversies. I periodically visit NamePros, and I didn't even know some of the stuff I've read in this thread.

So frankly, publicizing people's private information is irresponsible -- especially when so many "researchers" have incited/created a confused mob by acting as if 90%+ of Epik's customers are neo-nazis, when those are just a tiny fraction
(any fraction is too big, but realize that the vast majority of customers are just regular people).

It reminds me of Timberland clothing -- it became a trend for "chavs" (basically UK riff raff) to wear it, but most people who wear it are just regular people. If a bunch of chavs do something bad, it doesn't make sense to list every single person who bought Timberland clothing!


(Also, for Twitterati reading this, I'm no right-winger saying that, I'm just pointing out some facts. I'm someone who considers even the US Democratic Party to be somewhat right-wing, as I also wrote months ago here too: https://www.namepros.com/threads/br...h-of-his-domains.1230431/page-23#post-8191759 )

@Molly White You're the only one I've seen here (or at least who I remember) who is also active with the researchers on Twitter. So I hope you can relay this info to the guy who violated people's privacy by posting details on every single Epik customer. He's doxxing thousands of innocent people.

 

[Start]

@Molly White

Not everyone has the technical ability or resources to determine if their data is present in the leak.

There's a difference between telling people what data is in the leak, versus actually putting it into a spreadsheet and publicizing it. If you want to help people, don't pour more gasoline on the fire.

It reminds me of when paparazzi found out that a celebrity was holidaying at a secluded retreat area. So they used telescopic camera lenses to take photos from a mile away, and then published the photos. Yeah, okay, it was technically "in public", but the courts rightly decided that it was still an invasion of privacy.

Likewise, it's one thing for data to be difficult to access, even if it's out there. But it's another to format it and publicize it.

As I said, vigilante computer programmers aren't suited to make these decisions. They should work with social scientists like Ronald Deibert to decide on those issues.
https://en.wikipedia.org/wiki/Ronald_Deibert

I suspect many people who were exposed in this hack appreciate the work being done by those like whoever made that spreadsheet.

How does that spreadsheet help!? It doesn't. We already know that Epik got hacked. Epik emailed everyone (and I'm sure many people Googled for more info) and forced password changes.

And the "haveibeenpwned" guy apparently emailed everyone too. And this has been reported in mainstream media. Escrow.com even looked at the data and emailed any customers too.

And no, I don't think people appreciate that your fellow "researchers" are wrongly telling people that most Epik customers are far-right, and then publicizing a list of all Epik customers.

But blaming researchers for reformatting or sharing their findings from widely-available data is frankly ridiculous.

No, the "researchers" do deserve a lot of blame, for spreading the wrong impression! They are talking about this like most Epik customers are basically neo-nazis.

That simply is not true. I already told you that in detail.

And it's not fully about journalists, the "researchers" are the ones who are giving the wrong impression, and most journalists have multiple deadlines per day and don't know much about these issues, so they end up parroting what the main tweeters are saying, and what Wikipedia says.

And if there are journalists who have written that, numerically, most Epik customers are far-right, then that should be criticized (and corrections submitted). But it seems bizarre to me to fault journalists who have described Epik as a popular choice among far-right groups and individuals, or as a company known to service the same when they have been deplatformed by others.

What they need to do is clarify that most Epik customers are just regular people, and the far-right ones are a tiny minority.

Writing that "Epik as a popular choice among far-right groups" is technically true, but like with the article I cited, it gives people the impression that most Epik customers are of that nature.

If criminals start using Louisville Slugger baseball bats as their top choice for crimes when using a bat, that's still a tiny fraction compared to people who use them for baseball.

In this case, the CEO foolishly tried to attract them, but it doesn't change the fact that most customers are just regular people, and signed-up when Epik was just another registrar.

As recently as two months ago they were rubbing elbows with James O'Keefe, it seems. You're quite right that there are probably customers whose information is in the leak due to domains bought before 2018, and who may not have realized their previously fairly low-profile registrar might suddenly take a public turn to the right, but it seems to me that it is Epik who is responsible for earning this reputation.

I had to Google who James O'Keefe even is, and I read the news more than most people. That exemplifies my point even more, because most Epik customers wouldn't know what Epik and some staff were doing. They simply renew their domains.


And regarding this:

"You're quite right that there are probably customers whose information is in the leak due to domains bought before 2018"

...that's showing part of the issue right there. Statements like "probably", or "yeah, some Epik customer aren't far-right" (by a main epikfail tweeter) are what's causing the problem.

Why are you weakening the statement by saying "probably". It's an inevitable fact, and I know it's true, because I checked a few past domain sales, and some of those customers are still at Epik. And they're just regular people who signed-up with Epik because I said it would be easy to do the domain sale there.

Also, checking dates, I see that Epik didn't become controversial until November 2018, so even customers in mid-2018 many signed-up thinking Epik was just another registrar (and most very likely don't even know who Rob is, or what Epik got involved with).

Nov 2018 wasn't that long ago, especially considering how long Epik has been around. A lot of people even renew domains for a few years at a time, and possibly haven't even logged in to Epik in the past 3+ years.

iirc, you control the Wikipedia page for Epik. It would help (especially since journalists probably look at Wikipedia for basic info) if you mention that Epik didn't become controversial until Nov 2018, and many customers signed-up before then. That's simply a fact, and deserves to be mentioned.


Here are the bottom lines:

1) "Researchers", journalists, and others need to realize that the vast majority of Epik's customers are just regular people.

2) There's no need to doxx thousands of innocent people by publicizing the customer list. Just because you have the technical ability to do something doesn't mean you should.

3) "Researchers" should partner with actual social scientists like Ronald Deibert (or others like him, who have actual training in this area) to properly assess what information should be publicized.

4) I just took at look at your Twitter page, and I see new tweets where you're citing a couple of crackpot posts, as if they're reflective of NamePros. That's intellectually dishonest of you. I argued my points in a civil and logical way, and instead you're focusing on low quality posts, and also knowingly giving the wrong impression to people on Twitter regarding the rationale for why they need to be more careful about information disclosure. Please do better.

 

[Mr. Glomar]

As owner of some valuable domains myself and former customer of Epik, at this point I can only recommend to anyone that's still an Epik customer to get the heck off it and move your domains to a safer place.

At least put your "most valuable" domains in a safer place.

For what it's worth, most of my personal and most valuable domains are kept at Cloudflare now, just because security is their focus.

You need to weigh the "costs of moving" against the potential of "losing domains altogether".

Is it worth the risk? Maybe, maybe not.

 

[Evil.dll]

@Rob Monster, my duty is, first and foremost, to the NamePros community. As a security professional, I am skilled in analyzing breaches and am qualified to offer my opinions on the matter. That is my job.

I fully understand that this is not an easy situation for you to be in, but I have an ethical responsibility to offer assistance when and where I can. If I have made any factual errors, you are free to offer evidence to the contrary.

Your customers, many of whom participate here, are scared and looking for guidance. Vague threats toward professionals who are attempting to help them is not a healthy component of incident response.

^^^^^^^^^^This^^^^^^^^^^ I don’t know Paul, I don’t even know namepros that well, but this is much better than a four hour long narcissistic rant. Epik has a responsibility as a data owner to protect the data they are stewards of. Epik customers have a right to know how a company uses and stores their data. I will admit, I showed up for the trolling, but I am sticking around for the insight. I am not going to walk people through this with kid gloves on, because you all have google, if you are unsure of something, educate yourself on it so you don’t find yourself in this situation, if you don’t have time to educate yourself hire a competent person to explain to you how this fallout could affect your domains. By Paul’s response he is demonstrating that he understands the situation, he seems to want to assist people in their time of panic, as for his motivation to do so, only he is capable of answering that, but his response demonstrates that at least there is a competent individual that understands Incident response that is willing to engage in a rational discourse with not only his customers, but Epik customers as well. My personal assessment of this breach is that it is a catastrophic failure of a company to provide it’s users with the bare minimum of privacy protection. That is an opinion based off of 20 years of preventing the collection and dissemination of sensitive information on multiple fronts. Take it with a grain of salt.

 

[Future Sensors]

Thank you @Paul for your continued efforts to keep this forum safe and secure.

Particularly during CyberSecurity Awareness Month 2021

 

[DN Playbook]

One of the threads that you posted was my thread and I think you are right about Namepros is responsible for letting Rob spam the forum everywhere.

NP gave RM plenty of rope to hang himself. Also he was an advertiser for a while.

To be clear, when you write “NamePros,” you are referring to the community and not the website.

NamePros, the website, did not award Epik with that title. The promotion that you described is entirely automated based on community activity: popular threads are displayed based on the number of unique participants.

We had no involvement in Epik winning the poll in March 2020, and we had no involvement in Epik losing the poll in Dec 2020 - Jan 2021.

It is quite obvious that Epik had a lot of staff accounts, as well as proxy accounts, which manipulated the results. Then Epik placed a self-made award badge and statement on their home page, "Epik recognized as Best Registrar Worldwide in NamePros 2020 Annual Industry Vote". It certainly makes it sound like this was awarded officially by NamePros, not just the community. You should have a policy against claims that imply NamePros, the website, has awarded something when, in fact, it was a simple forum poll that has no real validity or representation of the industry, no judges, no standards, no backing of or verification by NamePros.

 

[jmcc]

Could some of you domain and registrar experts help me calculate Epik revenues so I can figure out just how ridiculous this valuation is. For example:

I don't deal with valuations but Epik is by no means a small registrar. As of the latest ICANN stats (June 2021), it has 651,046 gTLD domain names under management. Of these, 496,702 are .COM registrations. This is a good thing. The majority of its registrations are legacy gTLD registrations with new gTLDs accounting for approximately 11.3% with .XYZ registrations being the largest of its new gTLD footprint.

When looking at a registrar's domain name footprint, the blue chip TLDs are the big ccTLDs, .COM and .ORG. The last two are considered blue chip because they renew well. Some of the new gTLDs (the geographical ones) have very high first renewal rates but the discounted new gTLDs have much lower renewal rates. From a stability point of view, having a high percentage (50% or more) of new gTLDs is generally a bad thing so Epik scores quite well in this respect.

Renewals are the lifeblood of registrars and registries. They are a more important indicator of a registrar's financial health than new registrations. The complete first renewal rates are only visible after the domain names go through their first renewal cycle so many of the new registrations from the last two years are going through their first renewal or have yet to go through their first renewal. (The 2020 registrations won't renew until 2021, the 2021 registrations until 2022 etc.) I crunched the multi-year renewal rates for gTLD registrar/hoster operators from 2021 to 2000 last month based on currently hosted domain names.

1) Number of domains hosted at epik and approximate profit per domain.

With a registrar that uses fixed registration fees, this would be easy. Epik uses discounting as a marketing tool so there is a range of pricing. It might be possible to estimate the overall profit using leaked data but it is not going to be reliable without knowing which registry discount offers Epik used in its marketing. The registries regularly run promotional offers for their registrars.

2) Number of web hosting accounts and approximate revenues/profit.

You have to know the hosting tiers (shared/dedicated etc), the price per account and the costs associated with setting up and maintaining the account. With retail registrars/hosters, many clients will host outside the registrar's infrastructure. This also means that they may not be hosted on the registrar's nameservers. (They may be using Cloudflare or a DIY web builder service.)

3) Break down of any other Epik products and services.

Again, the leaked data may provide some indications but it would require the costs for these services or products to be known and the number of accounts and duration to be known.

The media coverage of the Epik databreach has been almost completely focused on the political aspect. The journalists like simple explanations that don't require them to work hard and the political aspect is about the most simplistic angle on it. It is almost completely irrelevant to the rest of the world as it is local US politics.

The sheer scale of the compromise has actually worked in Epik's favour as even researchers who understand vulnerabilities and software struggle to deal with the hugh amount of data that often relates to a business outside their area of expertise. Even with the leaked data, calulating the precise valuation, turnover and profits of Epik would be difficult.

The registrar business is incredibly territorial with the top registrars in country level markets having around 80% or so of the domain names registered in that country. The only way into most of those markets is for an operator to buy the top registrars in the market. This is what Godaddy and Newfold Digital, UI and others have been doing for the last ten years or so. I publish an Excel based transactions (new/deleted/transferred) report each month that groups the main gTLDs by registrar/hoster operators. Some of the larger registrar/hoster operators have hundreds of hosting brands.

The hosting characteristics of Epik are very different to those of a typical retail registrar/hoster. This is because much of Epik's business is focused on its sales and domainer market. Just to put that market in some kind of perspective, approximately 9.5% of .COM is on sale. That's around 15 million domain names. While some of the domain names on Epik's sales platforms may be registered via Epik, others are not. This is because many portfolio operators tend to be very loyal to their main registrar but agnostic to where they post those domain names for sale. (Epik, Dan, Afternic, Sedo etc.) This is why the registrations on sales platforms are a bit of a nightmare to break down by registrar. Epik is not an accredited registrar in some ccTLDs but it has domain names from those ccTLDs on its sales platform. These may be registrants parking the domain names on Epik's sales platform or domain names registered via Epik but outsourced to a "registrations as a service" registrar which is accredited in these ccTLDs.

Sales platforms are also a bit of a problem to evaluate because unless they are charging a fee to list, they only make a profit when the domain name is sold via the platform. As a category, these domain names have different renewal trends to ordinary retail registrations. There are premium registrations that renew well (near 100%). There are almost premiums which can renew well. Then there are the highly optimistic registrations (often registered at a discount) which tend to be one year wonders.

Working out valuations for registrars (even those that simply offer registrations rather than hosting) without the registrar's financial documents and accounts is a complex process even with the current data because it also needs the historical data, the TLD market data, and enough information (revenue per domain, costs etc) to make reliable projections.

Regards...jmcc

 

[Future Sensors]

The lack of explanation and meaningful guidance has gone on for a long time now. For concerned Epik customers who want to better educate themselves about, and arm themselves against, potential attack vectors, I've been sorting out a few resources over the past few days. You can find them in the Technology section of NamePros.

https://www.namepros.com/forums/technology.249/

 

[bmugford]

Peoples personal/financial information potentially being stolen is the most important issue here...company credibility can take a back seat until that's been cleared up....

Yes, without a doubt. I have had many issues with Epik and Rob Monster, and would not wish a data breach on anyone. No one wins, with the biggest loser being the customers.

Brad

 

[equity78]

(if everything was in plain text, how can we be sure?)

If everything was in plain text that's a fucking disgrace.

 

[Paul]

They act like nothing happened or fake news. This tactics was chosen.
~3h ago I have received reply in my yesterday's ticket:
As far as I'm aware, we are not being attacked by DDoS.

I think you're probably expecting a bit much from such a small company this early in the game. I'm not saying their response--or lack thereof--is reassuring, but it's par for the course. Most people involved probably don't even know the difference between a DDoS attack and a data breach.

That's not to excuse their lack of security or preparedness, but we've seen similar behavior in the industry from other, less controversial companies.