alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Molly White]

Epik hack is front page news in the print edition of the Washington Post today: https://www.washingtonpost.com/todays_paper/updates/

 

[jmcc]

So do security lapses. I’d rather pay up front than take my chances.

It would have to be well marketed and there would be considerable push-back from the registrar and registry constituencies in ICANN. That's why it would be difficult to get it adopted as a policy even though it would be sensible.

From a technical standpoint, that makes zero difference. There were production credentials in the backup; it would’ve been trivial for an attacker to shift laterally given Epik’s poor security practices and lack of isolation.

That is an issue but it is difficult to say for certain that it could be done without knowing if Epik had IP rules on accessing its internal network. There was a claim earlier that it was a remote backup that was compromised but the problem is that there is a lack verifiable details of what was compromised and, more importantly, how.

From an auditing standpoint, that makes zero difference. Backups are still subject to security requirements, for reasons that should now be clear to everyone in this thread.

They would be but it is too late for Epik now.

Regards...jmcc

 

[oldtimer]

I would like to see ICANN enforce annual security audits.

Makes one wonder why it hasn't been done all these years.

As you know there are yearly security tests and evaluations done in every other Industry.

IMO

 

[jmcc]

ICANN already charges the Registrars and Registries a yearly fee doesn't it,

And there is also the revenue from the 25 cents ICANN fee that is added to every domain.

Plus ICANN seems to be sitting on around 500 million dollars right now that it has gained through all the fees and donations that it has collected so far.

IMO

You would have to convince ICANN to implement a policy as part of the registrar accreditation agreement. The current one is the 2013 one. That means basically campaigning for the changes by getting the various consituencies in ICANN to adopt it and having it accepted. Then, after it is accepted, it could be a part of the next RAA.

Regards...jmcc

 

[oldtimer]

You would have to convince ICANN to implement a policy as part of the registrar accreditation agreement. The current one is the 2013 one. That means basically campaigning for the changes by getting the various consituencies in ICANN to adopt it and having it accepted. Then, after it is accepted, it could be a part of the next RAA.

Regards...jmcc

I don't think that I have to convince them of that, the latest events dictate that ICANN should take additional measures to protect the Registrants.

That is if they hold true to their own mission statement.

IMO

 

[jmcc]

I don't think that I have to convince them of that, the latest events dictate that ICANN should take additional measures to protect the Registrants.

IMO

ICANN would, in that case, say that it is the registrars would should take additional measures. You may be focusing on ICANN rather than the registrars. It is the registrars who have to protect the registrant's data.

Regards...jmcc

 

[oldtimer]

It is the registrars who have to protect the registrant's data.

And it is ICANN's responsibility to make sure that the Registrars and Registries do that.

One way or another ICANN accreditation should mean something more than just collecting fees.

This has now evolved beyond just Epik,

In my opinion ICANN should immediately initiate an Industry wide evaluation of all security protocols and systems.

IMO

 

[Future Sensors]

How would an average registrant make an informed decision?

Good question. Most customers will not look at certifications like SOC2.

Customers base this mostly on marketing and blog articles. In the case of Epik, the registrar code was apparently thoroughly reviewed in 2011. In a blog article from June 2011, the following qualifications were used:

- Extremely robust
- Talented engineers
- Battle-tested code​

https://www.epik.com/blog/epik-introduces-domain-registrar-services-2.html

Interestingly, in 2021 Epik suddenly thinks very differently about the same code and calls it "shitty Russian code".

https://blog.mollywhite.net/monster-qa/

https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-50#post-8403335
https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-50#post-8403337

 

[Samer]

I know Rob. What drives him is his ego, his desire to be the center and control everything and everyone, to be the great moderator in the sky. He is an evil and malicious guy that is capable of anything. The Christian talk is just that, talk. He uses it to disarm people and get control of them. No real Bible believing, born again Christians talk like that. I am one and I have met some the best Christian men in the world and none of them talk that much hyper-spiritual nonsense and do so while LYING.

Also, he has $32 million in the bank.

Lol.
$32 Million.
Go Rob!!

Samer

 

[Jurgen Wolf]

And Estibot as Russian bonus...

 

[Jurgen Wolf]

And it is ICANN's responsibility to make sure that the Registrars and Registries do that.

One way or another ICANN accreditation should mean something more than just collecting fees.

This has now evolved beyond just Epik,

In my opinion ICANN should immediately initiate an Industry wide evaluation of all security protocols and systems.

IMO

>>> https://72.schedule.icann.org

 

[Bravo Mod Team]

https://www.troyhunt.com/weekly-update-261/

Weekly Update 261 [18 SEPTEMBER 2021]

Another:

Weekly Update 262 [26 SEPTEMBER 2021]

Troy Hunt and Scott Helme talk about Epik from 21:29 to 32:56.

If you don't know:

• Troy Hunt is a well-known, well-respected security expert.
• He operates Have I Been Pwned?, which he mentions in the video while talking about Epik.
• Learn more: https://en.wikipedia.org/wiki/Troy_Hunt

 

[oldtimer]

ICANN has done a good job when it comes to maintaining the security and stability of the DNS ,

But when it comes to overseeing the operations and security at the Registrar and Registry level I believe that it has to go beyond the initial testing and evaluation that has been done at the time of the original accreditation.

In the current environment yearly (and in some cases even monthly) audits seem to be the logical thing to do. (end of story)

IMO

 

[Truespin Domains]

When Epik became an accredited registrar didn't they have to pass certain tests and evaluations as far as their security protocols go and if they passed and got their accreditation then ICANN might consider Epik to be more of a victim than a villain as far as them getting hacked now (just saying).

IMO

I run a SaaS and have various accreditations. Thing is, no one ever looks at your code. They look at your company's procedures and policies.

Equally, a lot of pen testing isn't worth the paper it's written on.

The reality is you never really know how well an organisation is safeguarding your data. Until they fail...

 

[jmcc]

ICANN has done a good job when it comes to maintaining the security and stability of the DNS ,

But when it comes to overseeing the operations and security at the Registrar and Registry level I believe that it has to go beyond the initial testing and evaluation that has been done at the time of the original accreditation.

In the current environment yearly (and in some cases even monthly) audits seem to be the logical thing to do. (end of story)

IMO

It is all very high-minded and good to worry about things and say how ICANN should do this or that. It is only by getting involved that you will effect change. Attend some of the meetings, learn about ICANN and the various stakeholders and groups.

Regards...jmcc

 

[oldtimer]

I run a SaaS and have various accreditations. Thing is, no one ever looks at your code. They look at your company's procedures and policies.

Equally, a lot of pen testing isn't worth the paper it's written on.

The reality is you never really know how well an organisation is safeguarding your data. Until they fail...

Blatant lapses in security protocols can be detected through audits by third parties.

Nevertheless how things have been done so far should not dictate how they need to be done going forward.

We need to come up with a fresh and new way of thinking when dealing with problems in the current environment.

IMO

 

[oldtimer]

It is all very high-minded and good to worry about things and say how ICANN should do this or that. It is only by getting involved that you will effect change. Attend some of the meetings, learn about ICANN and the various stakeholders and groups.

Regards...jmcc

As I already said, ICANN needs to take additional measures to protect the Registrants without me having to convince them of that.

Spent too much time arguing about this, I need to go get some fresh air before the day is over.

IMO

 

[Future Sensors]

As I already said, ICANN needs to take additional measures to protect the Registrants without me having to convince them of that.

Sorry to disappoint, but you really have to attend the ICANN meetings.

Do keep us informed.

 

[blockhead]

 

[DomainsMaven]

Thanks to Epik. I received alert on my credit report.

• Dark Web Alert
  
  Compromised Email Address
• Email Address
  
  [email protected]
• Breached Site
  
  epik.com
• Password
  
  Not Exposed
• Date found on dark web
  
  Sep 23, 2021

 

[Bravo Mod Team]

This appears to be someone unaffiliated with ICANN, which is why it's banned.

However, there is at least one account on NamePros that we can confirm is associated with ICANN, but they're currently inactive, so we're inclined to agree with you:

you really have to attend the ICANN meetings

 

[MasterOfMyDomains]

Why do I want to protect the Registrants,

Well because I am a Registrant too

Your comments have nothing to do with Epik. Your ruining this thread. Go start an icann thread

 

[bmugford]

As I already said, ICANN needs to take additional measures to protect the Registrants without me having to convince them of that.

Spent too much time arguing about this, I need to go get some fresh air before the day is over.

IMO

It is just not that feasible that ICANN audits thousands of registrars.

At some point you just need to put public trust in a company. Maybe it would be better for ICANN to drop the hammer on companies that abuse that public trust via their actions.

You make some examples, it is far less likely to happen again.

Regardless, let's try to keep this on topic. This event in unprecedented. This is Epik issue far more than an ICANN issue.

Brad

 

[Digital Nomad]

Epik hack is front page news in the print edition of the Washington Post today: https://www.washingtonpost.com/todays_paper/updates/

A snippet from the article:

The Epik spokesperson called the hack “an egregious violation against our users” and said the breached data included up to 38,000 credit card numbers.

 

[Future Sensors]

A snippet from the article:

The Epik spokesperson called the hack “an egregious violation against our users” and said the breached data included up to 38,000 credit card numbers.

Epik reported CC info was obtained for "a small subset of users". The total number of users affected was 110,000. So this 38,000 amount is not really a small subset.

What personal information may have been obtained:
"Name, address, email address, username, password, phone and VAT number (if given),
transaction history, domain ownership, and for a small subset of users, credit card information."​

Data Breach Notification (HTML)
https://apps.web.maine.gov/online/aeviewer/ME/40/68401938-23c3-4279-8bc5-d4782e3cba56.shtml

Data Breach Notification (PDF)
https://apps.web.maine.gov/online/a...fd3-db44-4fd4-b8b8-e2b7285e13e9/document.html