Dynadot
Namecheap

Silentptnr

Domains88.com
Impact
48,159
Last edited:

VadimK

Top Contributor
Impact
1,773
The lack of any response by Epik is troubling, even a basic update on what is going on.

I understand if things are going on behind the scenes, but you have (37) Epik staff members on NamePros.

A basic "We are aware of the reports and are researching the situation" or something similar is needed.

Brad

That's exactly what they say, I just chatted to their live chat few minutes ago.
 

AEProgram

Top Contributor
Impact
4,599
My CS team confirmed, - it is known that the Archive (is) is being used as a disinfo hub for .... years. The easiest way was/is to manipulate screenshot metadata (f.e. jpg/png source code) but also there's injecting the fw code (no further info) ...
how did they get into epik and is it possible epik didnt fix the site and they still can get in?
 
If fake attack - why slowness yesterday?
I don't believe: that their platform is so weak in terms of load, where even own customers can affect it...
Speed is usual today. With ~ the same volume of customers.
So some DDoS was yesterday definitely.
 

Kingslayer

Top Contributor
Impact
5,783
Here in the UK a company would need to report it to the ICO within 72 hours and would need to inform their customers - not sure what they have to do in the U.S - are they legally required to notify anybody, including customers?

If a company allow EU (and UK) citizens on their site and take on EU (and UK) customers, a company no matter where they are from have to abide by GDPR laws and other data protection laws where their customers are from.

I posted this article yesterday on potential lawsuits, but edited my post as reflecting on it felt it wasn't the time to talk about that, but as @equity78 posted something about fines/lawsuits, i will post it again:-

https://www.data-breaches.co.uk/data-breach-protection-claims-and-compensation/amounts/

(if scroll down below, there's a list of fines major companies have received for data breaches)

As said data protection is very serious and i feel there as defiantly been some kind of breach, Epik alerting customers to this breach should be no1 priority.
 
Last edited:

Mr Wash

Upgraded Member
Impact
77
Still hanging on 5.8% ... for hours. The examples doesn't look like there's something "important". You can easily collect SSH dnssec and other public keys and in-out dn transfer/movement data . That's mostly "good-natured" data.
It is private keys. No, that is not "good natured" data. And SSH has absolutely zero to do with DNSSEC.
 

Mr Wash

Upgraded Member
Impact
77
My CS team confirmed, - it is known that the Archive (is) is being used as a disinfo hub for .... years. The easiest way was/is to manipulate screenshot metadata (f.e. jpg/png source code) but also there's injecting the fw code (no further info) ...
This is inaccurate. Your "CS team" is wrong.
 

Paul

Tech, NamePros
Impact
4,468
I would really like to hear from who I think are the two of the top smartest people on these topics on this forum, @Paul @Michael

It does appear to be real. There's an awful lot of data and I don't have time to comb through it all right now, but here's what I've seen so far for Anonymize users, which is a smaller, more approachable dataset than the registrar data:
  1. Passwords hashed with MD5
  2. Plaintext passwords (appears to be a small subset, possibly staff)
  3. PII, including full physical address, name, email, and phone number
There is probably quite a bit more data--this is just what I've glanced at so far for Anonymize.

The data does not appear faked or generated. There is accurate information that I would not expect to be public or widely known. cc @Lox

We're anticipating a significant increase in credential stuffing attacks as a result of the weak password hashing.
 
Last edited:

Paul

Tech, NamePros
Impact
4,468
My personal stance on this:

Companies are going to get hacked; that's just the way it is. While there are clearly security lapses visible in the data, that's no different from any other company. Maybe it was hacktivism, maybe it was a disgruntled customer, maybe it was just someone who thought it was fun--it doesn't really matter.

Epik is going to be facing a lot of criticism in the coming days, both for falling victim to an attack and for issues with the data that has been leaked. There are going to be more eyeballs on their security practices than they could ever hope to have otherwise. Keep that in mind when you're reading about how they failed to secure X or didn't follow best practice Y.

That being said, some of the mistakes here do appear egregious, and I would hope that a company of their importance would learn their lesson and hire security professionals in the future.

Cleartext and MD5!! This is the best they could do?!

That's what I'm seeing, but I can't easily verify the passwords + hashes themselves haven't been tampered with--although, based on the rest of the dataset, I have no reason to doubt their authenticity.

This is really bad news. There shouldn't even be a single plaintext around.

It's quite possible that the plaintext passwords are intended for outbound authentication--that is, authenticating to third-party services. In that case, they would need to be plaintext, or at least use reversible encryption (as opposed to hashing, which is one-way).
 
Last edited:

NickB

it's a mystery
Impact
14,081
......
My personal stance on this:

Companies are going to get hacked; that's just the way it is. While there are clearly security lapses visible in the data, that's no different from any other company. Maybe it was hacktivism, maybe it was a disgruntled customer, maybe it was just someone who thought it was fun--it doesn't really matter.

Epik is going to be facing a lot of criticism in the coming days, both for falling victim to an attack and for issues with the data that has been leaked. There are going to be more eyeballs on their security practices than they could ever hope to have otherwise. Keep that in mind when you're reading about how they failed to secure X or didn't follow best practice Y.

That being said, some of the mistakes here do appear egregious, and I would hope that a company of their importance would learn their lesson and hire security professionals in the future.



That's what I'm seeing, but I can't easily verify the passwords + hashes themselves haven't been tampered with--although, based on the rest of the dataset, I have no reason to doubt their authenticity.



It's quite possible that the plaintext passwords are intended for outbound authentication--that is, authenticating to third-party services. In that case, they would need to be plaintext, or at least use reversible encryption (as opposed to hashing, which is one-way).
I'll be honest most of this talk (hashed with MD5, Pll etc etc) is beyond me - I am not a technical person....

Any advice you can give on what people should do if they have an Epik account?
 
Last edited:

Paul

Tech, NamePros
Impact
4,468
Any advice you can give on what people should do if they have an Epik account?

If you use the same password on multiple websites, change it everywhere--and use a different password for each website. Websites get hacked; that's just the way it is. When they do, the passwords eventually leak. If someone can guess your NamePros password based on your password on ArbitraryCompromisedWebsite, you're going to end up with both accounts compromised.
 

NickB

it's a mystery
Impact
14,081
If you use the same password on multiple websites, change it everywhere--and use a different password for each website. Websites get hacked; that's just the way it is. When they do, the passwords eventually leak. If someone can guess your NamePros password based on your password on ArbitraryCompromisedWebsite, you're going to end up with both accounts compromised.
Nice one - thanks to your tip in a previous post about using a password generator I'm using (retracted generator name)...all my passwords are different (y)
 
Last edited:

Finest

Top Contributor
Impact
2,045
My personal stance on this:

Companies are going to get hacked; that's just the way it is. While there are clearly security lapses visible in the data, that's no different from any other company.

I'm in the security business and I fully understand that some passwords here and there will slip through the cracks and remain unprotected. But to rely on an algorithm that's been compromised for years for mass hashing is utter negligence.
 

Mister Funsky

Top Contributor
Impact
21,887
Well, it is clear something happened and I'm sure we will know shortly if it was anything significant...as of now, everything is operating as usual.

Now would be a time to change PIN and password, just in case the fruitcakes were able to get some of that information.

This type of event is just part of existing in a digital world...hacks, attempted hacks and system overloads are part of daily business. I'm sure Epik will take the appropriate steps.

The 'story' will come out eventually as to what happened and if any damage occurred. I will continue to operate as usual buying and selling on Epik.
 

eternaldomains

Established Member
Impact
356
It's quite possible that the plaintext passwords are intended for outbound authentication--that is, authenticating to third-party services.

So, isn't this like, FederatedIdentity.com is the 3rd party, and then Epik.com stores pw in plaintext so that FederatedIdentity.com can authenticate it? And if that's the case, aren't all those Google+FB logins on unrelated websites extremely dangerous?
 
Top