NameSilo

Epik Had A Major Breach

Labeled as alert in Warnings and Alerts, started by Silentptnr, Sep 14, 2021

Replies:
3,622
Views:
192,552

  1. karmaco

    karmaco Top Contributor VIP

    Posts:
    3,243
    Likes Received:
    9,033
    Another potentially disturbing thing that hasn’t been mentioned was people having to submit documents to prove their identity to conduct sales on the platform. Wondering if this stuff was stored safely or does the dark web have our licenses, picture ids etc.
     
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,504
    Likes Received:
    8,394
    Agree. See paragraph "Where your data is stored" in their https://porkbun.com/legal/agreement/privacy_policy
     
    Last edited: Sep 27, 2021
  3. carob

    carob Top Contributor VIP ★★★★★★★★★★

    Posts:
    3,868
    Likes Received:
    5,401
    I have come across registrars that force you to save a card just to open an account. I don't like it.

    BUT the simple method for removing the card is just: add other payment method: add Paypal.
    Then delete the saved card at the registrart because they now allow that because you have another payment method saved.
    Then go into the Paypal account and cancel the recurring payments authorisation for that merchant - they now cannot get payments from you unless you specifically authorise them.
     
    Last edited: Sep 27, 2021
  4. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,128
    Likes Received:
    11,027
    Porkbun doesn't require PayPal agreement, nothing to cancel.
     
    Last edited: Sep 27, 2021
  5. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,128
    Likes Received:
    11,027
    They are former Name.com coreteam.
     
    Last edited: Sep 27, 2021
  6. Kingslayer

    Kingslayer Top Contributor VIP

    Posts:
    2,136
    Likes Received:
    5,702
    A lot of sites make customers do that (PayPal, Escrow, betting sites etc), but it is a good question!

    Once you submit this data it’s supposed to be discarded and retained only internally – Non-Epik customers being affected by this breach (ie Epik collecting and storing personal data they didn’t need to collect), it wouldn’t surprise me if Epik customers identities such as passports was stored externally therefore could be accessed by 3rd parties.
     
    Last edited: Sep 27, 2021
  7. eternaldomains

    eternaldomains Established Member

    Posts:
    494
    Likes Received:
    337
    I remembered at one time I paid with CC and it got stuck there since.

    Just now I checked back, was able to delete all payment methods from my dashboard. Either I thought wrong, or the bun did change something. Sorry for the bad reporting.
     
  8. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,504
    Likes Received:
    8,394
    This thread raised the question of how other registrars deal with credit card handling and compliance.

    Here's how Joker is doing it.

    https://joker.com/?mode=page&page=security

    Certified Credit Card Security at Joker.com
    Joker.com fully complies to the requirements of the credit card industry, defined by the PCI Data Security Standard.
    This includes a security audit, performed by an external service provider, executed every 3 month.
    This serves to protect your payment data, which Joker.com handles with greatest care. Joker.com uses this data solely for the purpose of payment.
    You can click the Sysnet logo on their site to see the latest compliance info.

    upload_2021-9-27_14-35-44.png
     
    Last edited: Sep 27, 2021
  9. Mary Muse

    Mary Muse Top Contributor VIP

    Posts:
    1,609
    Likes Received:
    3,133
    We need to hear from Epik.

    If Rob can drop by this thread and continue to "like" random posts, then surely he can make a goddamn statement updating us on just how big of a mess this is.

    It's absolutely bullshit
     
  10. tonyk2000

    tonyk2000 Top Contributor VIP ★★★★★★★★★★

    Posts:
    2,467
    Likes Received:
    4,426
    Yeah, porkbun is fine. Really like everything @ porkbun - except the name LOL.

    Should Epik survive, they might want to consider something similar if they want to be trusted:

    https://www.encirca.com/soc2-certified/

    EnCirca’s SOC 2 Audit Reports
    EnCirca is pleased to provide copies of its SOC 2 security audit report available to existing and prospective customers, partners and Registry suppliers. The 84-page SOC 2 Report is available after the execution of a Non-Disclosure Agreement. For those of you who do not require this level of detail, a shorter 10-page SOC 3 Report is publicly available below.

    What is SOC 2 Certification?
    SOC 2 certification assures clients we use systems to protect their data. It audits security, availability, process integrity, privacy and confidentiality. EnCirca has a Type 2 certification covering a twelve month period from March 1, 2019 to February 29, 2020.

    SOC 2 covers operational control systems following a predefined Trust Services Principles and Criteria around security, availability, process integrity, privacy and confidentiality. SOC 2 certification assures our customers that we have adequate control systems in place to safeguard their data and information.


    Encirca is a stable retail registrar, Had a few snapnames catches with them (years ago). No issues.

    Edited: the copypasted text above refers to 2020, but it seems they are also set for 2021:
    https://www.encirca.com/wp-content/uploads/2021/04/EnCirca-2021-SOC-3-Audit.pdf
     
    Last edited: Sep 27, 2021
  11. oldtimer

    oldtimer Do some good for humanity and the environment VIP ★★★★★★★★★★

    Posts:
    3,828
    Likes Received:
    5,671
    In reality right now nobody really knows how all the other 600 or so retail Registrars are handling customer data and its storage.

    Brad, I consider you to be a fair and professional member of the forum and as such wouldn't you agree that as we are holding Epik accountable for some of their actions (or lack thereof) but that it's equally important to do an Industry wide inspection of all the security and business practices of all the other Registrars and Registries at this time.

    If the goal is to protect the customers (the Registrants) don't you think that there should be some kind of uniform standards and protocols when it comes to keeping customers data safe and don't you think that ICANN should immediately implement certain safeguards across the board to make sure that the situation with Epik doesn't occur again in the future with any other Registrar.

    We need to hold Epik accountable but if the goal is customer (Registrant) safety and security then focusing all our attention on Epik and ignoring all the other 600 or so retail Registrars doesn't sound very smart.

    Logic says that we should use this as a learning experience to fix the whole Industry.

    IMO
     
    Last edited: Sep 27, 2021
  12. astrade

    astrade Established Member

    Posts:
    27
    Likes Received:
    31
  13. Derek Peterson

    Derek Peterson Restricted (15-30%) Gold Account

    Posts:
    323
    Likes Received:
    252
    It would be better if you didn't tell me what to do and started caring about others, the 100,000 people who have had their lives destroyed by a man. I confronted Rob years ago about his lies and lack of concern for his users' privacy and now we have this and based on his arrogant and insane response thus far he doesn't care.

    Edit by moderator: name calling and threats removed. Warning issued.
     
    Last edited by a moderator: Sep 27, 2021
  14. Derek Peterson

    Derek Peterson Restricted (15-30%) Gold Account

    Posts:
    323
    Likes Received:
    252
    This is correct. Only people who don't care about their users or the laws would try to store credit card details of their users, which is exactly why we are all in this threat talking about the actions of epik and rob monster.
     
  15. Truespin Domains

    Truespin Domains Top Contributor VIP

    Posts:
    1,784
    Likes Received:
    1,357
    This is my concern. I have only ever used Epik once for an Escrow, as the request of the buyer. I had to provide them with various documentation - which could now be circulating freely.

    Great.
     
    Last edited: Sep 27, 2021
  16. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,128
    Likes Received:
    11,027
    Free speech boomerang for Rob...
     
  17. Derek Peterson

    Derek Peterson Restricted (15-30%) Gold Account

    Posts:
    323
    Likes Received:
    252

    Rob doesn't agree with free speech. He has tried to get me banned here, on twitter and on gab. and now one of his shills is trying to get me banned here using fake multiple accounts. Rob is not a good guy and he has hurt a lot of people.
     
  18. NicTraders

    NicTraders Top Contributor VIP Gold Account

    Posts:
    3,164
    Likes Received:
    1,485
    Wow, your animosity is remarkable. Especially considering that you said you were a Christian yourself in your first post in this thread from memory. Obviously, as a Christian, you would know all those verses about 'He who is without sin, cast the first stone', and so on. And yet it seems your sole purpose here is to share how you are going to take revenge on Rob.
     
  19. Derek Peterson

    Derek Peterson Restricted (15-30%) Gold Account

    Posts:
    323
    Likes Received:
    252
    Just because you are "saving your credit" on a particular site does NOT mean that website is actually storing your credit card details. In almost all cases there is a secure API which connects that website with a payment gateway, like stripe, playpal or authorize.net. That is the issue, Rob/epik apparently actually stored the details on their own server.
     
  20. Windoms

    Windoms Top Contributor VIP

    Posts:
    1,079
    Likes Received:
    1,896
    Question is how many total users does epik have.
    Because 110.000 is a lot.
    If 110.000 was the total users.
    How many total cards were actually used on epik?
    38.000?

    Because Im sure many userd never made a single transaction, and others used other payment methods such as paypal from the time it was available.

    Does any tech guy know how many accounts are actually on epik?
     
    Last edited: Sep 27, 2021
  21. Derek Peterson

    Derek Peterson Restricted (15-30%) Gold Account

    Posts:
    323
    Likes Received:
    252

    I am a born again Christian and I sincerely care about and love others but part of loving innocent is hating evil ones that do such things. Rob and his friends are evil and they deserve to be broke in prison for what they have done. Just like a drunk driver who has had many warning should be in prison and all his assets taken and given to those he hurt.
     
  22. Windoms

    Windoms Top Contributor VIP

    Posts:
    1,079
    Likes Received:
    1,896
    You can say 110,000 lives got destroyed, I will punish him by doing so and so (I can guess you were refering to your documentary).
    But things like Im punishing anyone who supports him, not good. Many are supporting him because they genuinely think he's a good guy with good intentions.

    So take it easy.
     
  23. bmugford

    bmugford www.DataCube.com PRO VIP ICA Member ★★★★★★★★★★

    Posts:
    14,179
    Likes Received:
    27,376
    No offense, but this is just deflection. It seems very similar to trying to turn Epik's data breach issue into an ICANN issue before that.

    There are uniform standards. PCI compliance.

    What Epik was doing is not compatible with those standards. Period.

    Again -

    PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.

    If you have any information about other companies blatantly violating PCI compliance, I would be more than happy to discuss that, in another thread.

    Brad
     
    Last edited: Sep 27, 2021
  24. Derek Peterson

    Derek Peterson Restricted (15-30%) Gold Account

    Posts:
    323
    Likes Received:
    252
    Yes and also a class action lawsuit that is being prepared and hopefully even criminal charges. Also, I honestly don't think anyone is supporting at this point that wasn't complicit or is getting paid to do so.

    Rob has made many false claims, endangering the privacy and security of his users and threatened many people for many years for simply exposing these things to get us here. It is like some mafia guy who keeps killing people in drunk driving accidents and then threatens the family of the ones he killed and judges and lawyers to keep out of trouble. This isn't a stand alone incident and I don't even think it was incompetence.
     
  25. Silentptnr

    Silentptnr Domains88.com VIP

    Posts:
    16,721
    Likes Received:
    48,280
    Received this email this morning.


    [​IMG]


    Your password has been reset.

    Dear ******************,



    Due to the recent security breach at domain registrar Epik, we are taking the precaution to reset your password.



    What has been done?

    To ensure the integrity of your Escrow.com account we have triggered a password reset of your account to ensure that your account is not compromised by the data leak.

    Go to Escrow.com (link disabled for this post)
    Your security is our top priority as the world’s largest online escrow service. Please follow the reset password process sent to you from Escrow.com or go directly to Escrow.com and follow the steps outlined on our website.



    Regards,

    Escrow.com Security Team
     

Want to reply or ask your own question?

It only takes a minute to sign up – and it's free!
Topics / Tags:
biix
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...