alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[karmaco]

Another potentially disturbing thing that hasn’t been mentioned was people having to submit documents to prove their identity to conduct sales on the platform. Wondering if this stuff was stored safely or does the dark web have our licenses, picture ids etc.

 

[Future Sensors]

Porkbun doesn't force you to do anything. But if you choose to save your card details they do that securely (see above posts regarding saving card info).

Agree. See paragraph "Where your data is stored" in their https://porkbun.com/legal/agreement/privacy_policy

 

[carob]

I have come across registrars that force you to save a card just to open an account. I don't like it.

BUT the simple method for removing the card is just: add other payment method: add Paypal.
Then delete the saved card at the registrart because they now allow that because you have another payment method saved.
Then go into the Paypal account and cancel the recurring payments authorisation for that merchant - they now cannot get payments from you unless you specifically authorise them.

 

[Jurgen Wolf]

Porkbun doesn't require PayPal agreement, nothing to cancel.

 

[Jurgen Wolf]

Porkbun is run by people who actually know what they're doing.

They are former Name.com coreteam.

 

[Kingslayer]

Another potentially disturbing thing that hasn’t been mentioned was people having to submit documents to prove their identity to conduct sales on the platform. Wondering if this stuff was stored safely or does the dark web have our licenses, picture ids etc.

A lot of sites make customers do that (PayPal, Escrow, betting sites etc), but it is a good question!

Once you submit this data it’s supposed to be discarded and retained only internally – Non-Epik customers being affected by this breach (ie Epik collecting and storing personal data they didn’t need to collect), it wouldn’t surprise me if Epik customers identities such as passports was stored externally therefore could be accessed by 3rd parties.

 

[eternaldomains]

Porkbun, they really force you to have CC on file???
I use it for years via PayPal.

I remembered at one time I paid with CC and it got stuck there since.

Just now I checked back, was able to delete all payment methods from my dashboard. Either I thought wrong, or the bun did change something. Sorry for the bad reporting.

 

[Future Sensors]

This thread raised the question of how other registrars deal with credit card handling and compliance.

Here's how Joker is doing it.

https://joker.com/?mode=page&page=security

Certified Credit Card Security at Joker.com
Joker.com fully complies to the requirements of the credit card industry, defined by the PCI Data Security Standard.
This includes a security audit, performed by an external service provider, executed every 3 month.
This serves to protect your payment data, which Joker.com handles with greatest care. Joker.com uses this data solely for the purpose of payment.
​

You can click the Sysnet logo on their site to see the latest compliance info.

 

[Mary Muse]

We need to hear from Epik.

If Rob can drop by this thread and continue to "like" random posts, then surely he can make a goddamn statement updating us on just how big of a mess this is.

It's absolutely bullshit

 

[tonyk2000]

Yeah, porkbun is fine. Really like everything @ porkbun - except the name LOL.

Should Epik survive, they might want to consider something similar if they want to be trusted:

https://www.encirca.com/soc2-certified/

EnCirca’s SOC 2 Audit Reports
EnCirca is pleased to provide copies of its SOC 2 security audit report available to existing and prospective customers, partners and Registry suppliers. The 84-page SOC 2 Report is available after the execution of a Non-Disclosure Agreement. For those of you who do not require this level of detail, a shorter 10-page SOC 3 Report is publicly available below.

What is SOC 2 Certification?
SOC 2 certification assures clients we use systems to protect their data. It audits security, availability, process integrity, privacy and confidentiality. EnCirca has a Type 2 certification covering a twelve month period from March 1, 2019 to February 29, 2020.

SOC 2 covers operational control systems following a predefined Trust Services Principles and Criteria around security, availability, process integrity, privacy and confidentiality. SOC 2 certification assures our customers that we have adequate control systems in place to safeguard their data and information.

Encirca is a stable retail registrar, Had a few snapnames catches with them (years ago). No issues.

Edited: the copypasted text above refers to 2020, but it seems they are also set for 2021:
https://www.encirca.com/wp-content/uploads/2021/04/EnCirca-2021-SOC-3-Audit.pdf

 

[oldtimer]

Saving your credit card information is not necessarily a violation. Many websites do it.

In reality right now nobody really knows how all the other 600 or so retail Registrars are handling customer data and its storage.

Brad, I consider you to be a fair and professional member of the forum and as such wouldn't you agree that as we are holding Epik accountable for some of their actions (or lack thereof) but that it's equally important to do an Industry wide inspection of all the security and business practices of all the other Registrars and Registries at this time.

If the goal is to protect the customers (the Registrants) don't you think that there should be some kind of uniform standards and protocols when it comes to keeping customers data safe and don't you think that ICANN should immediately implement certain safeguards across the board to make sure that the situation with Epik doesn't occur again in the future with any other Registrar.

We need to hold Epik accountable but if the goal is customer (Registrant) safety and security then focusing all our attention on Epik and ignoring all the other 600 or so retail Registrars doesn't sound very smart.

Logic says that we should use this as a learning experience to fix the whole Industry.

IMO

 

[astrade]

Escrow.com is taking steps.

 

[Derek Peterson]

It would be better if you kept your posts factual. Epik did not release these details. Anonymous release the details. Yes, Epik left the details vulnerable, no doubt, but they did not release them at all. It's pretty clear you have rather a vendetta against Rob. That's up to you, but your contribution to this thread might be more valuable if you'd leave some of the personal remarks about him out of this.

It would be better if you didn't tell me what to do and started caring about others, the 100,000 people who have had their lives destroyed by a man. I confronted Rob years ago about his lies and lack of concern for his users' privacy and now we have this and based on his arrogant and insane response thus far he doesn't care.

Edit by moderator: name calling and threats removed. Warning issued.

 

[Derek Peterson]

No online platform that takes card payments serious stores it locally. At Dan for example, we store zero card information in our own database. We pass the information to Adyen and they store it as they are the experts in keeping that data safe. So having your card information stored somewhere isn't the problem but how and by whom it's stored is important to know.

This is correct. Only people who don't care about their users or the laws would try to store credit card details of their users, which is exactly why we are all in this threat talking about the actions of epik and rob monster.

 

[Truespin Domains]

Another potentially disturbing thing that hasn’t been mentioned was people having to submit documents to prove their identity to conduct sales on the platform. Wondering if this stuff was stored safely or does the dark web have our licenses, picture ids etc.

This is my concern. I have only ever used Epik once for an Escrow, as the request of the buyer. I had to provide them with various documentation - which could now be circulating freely.

Great.

 

[Jurgen Wolf]

Free speech boomerang for Rob...

 

[Derek Peterson]

Free speech boomerang for Rob...

Rob doesn't agree with free speech. He has tried to get me banned here, on twitter and on gab. and now one of his shills is trying to get me banned here using fake multiple accounts. Rob is not a good guy and he has hurt a lot of people.

 

[NicTraders]

It would be better if you didn't tell me what to do and started caring about others, the 100,000 people who have had their lives destroyed by an arrogant, insane fake Christian man. I confronted Rob years ago about his lies and lack of concern for his users' privacy and now we have this and based on his arrogant and insane response thus far he doesn't care.

And btw, you haven't seen anything yet. I am going to punish Rob for this greatly and anyone foolish enough to defend him.

Wow, your animosity is remarkable. Especially considering that you said you were a Christian yourself in your first post in this thread from memory. Obviously, as a Christian, you would know all those verses about 'He who is without sin, cast the first stone', and so on. And yet it seems your sole purpose here is to share how you are going to take revenge on Rob.

 

[Derek Peterson]

I have come across registrars that force you to save a card just to open an account. I don't like it.

BUT the simple method for removing the card is just: add other payment method: add Paypal.
Then delete the saved card at the registrart because they now allow that because you have another payment method saved.
Then go into the Paypal account and cancel the recurring payments authorisation for that merchant - they now cannot get payments from you unless you specifically authorise them.

Just because you are "saving your credit" on a particular site does NOT mean that website is actually storing your credit card details. In almost all cases there is a secure API which connects that website with a payment gateway, like stripe, playpal or authorize.net. That is the issue, Rob/epik apparently actually stored the details on their own server.

 

[Windoms]

Epik reported CC info was obtained for "a small subset of users". The total number of users affected was 110,000. So this 38,000 amount is not really a small subset

Yes, calling that a "small subset" is grossly misleading in my view.

Brad

Question is how many total users does epik have.
Because 110.000 is a lot.
If 110.000 was the total users.
How many total cards were actually used on epik?
38.000?

Because Im sure many userd never made a single transaction, and others used other payment methods such as paypal from the time it was available.

Does any tech guy know how many accounts are actually on epik?

 

[Derek Peterson]

Wow, your animosity is remarkable. Especially considering that you said you were a Christian yourself in your first post in this thread from memory. Obviously, as a Christian, you would know all those verses about 'He who is without sin, cast the first stone', and so on. And yet it seems your sole purpose here is to share how you are going to take revenge on Rob.

I am a born again Christian and I sincerely care about and love others but part of loving innocent is hating evil ones that do such things. Rob and his friends are evil and they deserve to be broke in prison for what they have done. Just like a drunk driver who has had many warning should be in prison and all his assets taken and given to those he hurt.

 

[Windoms]

It would be better if you didn't tell me what to do and started caring about others, the 100,000 people who have had their lives destroyed by an arrogant, insane fake Christian man. I confronted Rob years ago about his lies and lack of concern for his users' privacy and now we have this and based on his arrogant and insane response thus far he doesn't care.

And btw, you haven't seen anything yet. I am going to punish Rob for this greatly and anyone foolish enough to defend him.

You can say 110,000 lives got destroyed, I will punish him by doing so and so (I can guess you were refering to your documentary).
But things like Im punishing anyone who supports him, not good. Many are supporting him because they genuinely think he's a good guy with good intentions.

So take it easy.

 

[bmugford]

In reality right now nobody really knows how all the other 600 or so retail Registrars are handling customer data and its storage.

Brad, I consider you to be a fair and professional member of the forum and as such wouldn't you agree that as we are holding Epik accountable for some of their actions (or lack thereof) but that it's equally important to do an Industry wide inspection of all the security and business practices of all the other Registrars and Registries at this time.

If the goal is to protect the customers (the Registrants) don't you think that there should be some kind of uniform standards and protocols when it comes to keeping customers data safe and don't you think that ICANN should immediately implement certain safeguards across the board to make sure that the situation with Epik doesn't occur again in the future with any other Registrar.

We need to hold Epik accountable but if the goal is customer (Registrant) safety and security then focusing all our attention on Epik and ignoring all the other 600 or so retail Registrars doesn't sound very smart.

Logic says that we should use this as a learning experience to fix the whole Industry.

IMO

No offense, but this is just deflection. It seems very similar to trying to turn Epik's data breach issue into an ICANN issue before that.

There are uniform standards. PCI compliance.

What Epik was doing is not compatible with those standards. Period.

Again -

PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.

If you have any information about other companies blatantly violating PCI compliance, I would be more than happy to discuss that, in another thread.

Brad

 

[Derek Peterson]

You can say 110,000 lives got destroyed, I will punish him by doing so and so (I can guess you were refering to your documentary).
But things like Im punishing anyone who supports him, not good. Many are supporting him because they genuinely think he's a good guy with good intentions.

So take it easy.

Yes and also a class action lawsuit that is being prepared and hopefully even criminal charges. Also, I honestly don't think anyone is supporting at this point that wasn't complicit or is getting paid to do so.

Rob has made many false claims, endangering the privacy and security of his users and threatened many people for many years for simply exposing these things to get us here. It is like some mafia guy who keeps killing people in drunk driving accidents and then threatens the family of the ones he killed and judges and lawyers to keep out of trouble. This isn't a stand alone incident and I don't even think it was incompetence.

 

[Silentptnr]

Received this email this morning.

​

Your password has been reset.

Dear ******************,



Due to the recent security breach at domain registrar Epik, we are taking the precaution to reset your password.



What has been done?

To ensure the integrity of your Escrow.com account we have triggered a password reset of your account to ensure that your account is not compromised by the data leak.

Go to Escrow.com (link disabled for this post)
Your security is our top priority as the world’s largest online escrow service. Please follow the reset password process sent to you from Escrow.com or go directly to Escrow.com and follow the steps outlined on our website.



Regards,

Escrow.com Security Team