NameSilo

Epik Had A Major Breach

Labeled as alert in Warnings and Alerts, started by Silentptnr, Sep 14, 2021

Replies:
3,353
Views:
178,225

  1. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    What are real roots (motivation) of these attacks?
    Competitors, discrimination, Trumpism etc. or what?
    Epik must consider it firstly.
     
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,205
    Likes Received:
    4,245
    Yes, and there's going to be no shortage of people pointing it out. So far, I've only looked at the data for Anonymize; it's possible that passwords for other services are using something better.

    That being said, all hashing is just designed to buy time. Even if they were using bcrypt or argon2, the passwords would get out eventually. People should be changing their passwords regardless.

    The biggest challenge for them in the near-term is going to be locking everything down. Again, I've only glanced at the data, but they appear to have a massive attack surface with a lot of moving parts. I suspect there's no shortage of holes, and there are going to be quite a few people combing through the dataset looking for additional vulnerabilities.

    To give you an example, NamePros processes payments through Stripe. In order to authenticate with Stripe, a third-party service, NamePros needs to store a password in plaintext--not your password, just a password, one provided to use by Stripe. There's no way around that.

    I don't know what the plaintext passwords I saw were intended to be used for, but there weren't many of them. The user accounts were using MD5 (which might as well be plaintext).

    Nobody is going to know until it lands in court. It's also by far the least important aspect of their immediate response, since their priorities should be securing their infrastructure and notifying affected parties.
     
    Last edited: Sep 15, 2021
  3. LOLed

    LOLed Established Member

    Posts:
    268
    Likes Received:
    742
    What else do you suggest for password encryption, if not MD5 with salt? Isn't it impossible to decrypt if they use a random and strong key?

    Edited
     
    Last edited: Sep 15, 2021
  4. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    Then why superbuggy Dynadot is not hacked???
     
  5. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,205
    Likes Received:
    4,245
    Salted MD5 is not and will never be sufficient. It's entirely possible to crack. (Edit: The passwords I've seen so far in the breach did not appear to be salted anyway.)

    Don't try to roll your own crypto. If you're working with PHP, use password_hash and password_verify--as of writing, those will use bcrypt or argon2, both of which are acceptable. If you're working with a different technology, consult the industry best practices. Do not try to come up with your own scheme.
     
    Last edited: Sep 15, 2021
  6. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,205
    Likes Received:
    4,245
    Buggy doesn't necessarily mean insecure. All websites get hacked eventually, though.
     
  7. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    Dynadot is not even 10% of the traditional hype around Epik...
    That's why they live without such adventures.
     
  8. eternaldomains

    eternaldomains Established Member

    Posts:
    489
    Likes Received:
    330
    No reason for hack. No politics, no price hold. Lack of CEO presence. Almost like a normal nobody in people's eyes if you ask me.
     
  9. johnn

    johnn WeSellName.com PRO VIP ★★★★★★★★★★

    Posts:
    17,784
    Likes Received:
    8,247
    There is a big difference between hacking and ddos attack.
     
  10. Windoms

    Windoms Top Contributor VIP

    Posts:
    1,068
    Likes Received:
    1,883
    "Map out a decade of online fash with a level of clarity nobody has been able to until now."
    "This dataset is all that's needed to trace actual ownership and management of the fascist side of the internet that has eluded researchers, activists, and well, just about everybody. And maybe have a little extra fun. For the lulz."
    E_MWYxqVUAExCWZ.jpeg.jpg

    Some people are in very hot water.
     
  11. Digital Kush

    Digital Kush Restricted (33% DM)

    Posts:
    909
    Likes Received:
    82
    This is really hectic 😨
    Can we have best registrars to keep our Domains safe. For crypto we have nano ledger etc. or keep private keys...
    Any best solution for keeping Domains safe?
     
    Last edited: Sep 15, 2021
  12. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    Last edited: Sep 15, 2021
  13. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    MarkMonitor.
     
    Last edited: Sep 15, 2021
  14. jhm

    jhm Glazed

    Posts:
    3,546
    Likes Received:
    4,887
    When certain hackers are all about freedom / anti-establishment, I can ride along with that to some degree. The compromising of people, putting their stuff at risk, invading privacy ...not so much
     
    Last edited: Sep 15, 2021
  15. cbd

    cbd Top Contributor VIP Gold Account

    Posts:
    2,373
    Likes Received:
    1,305
    Personally, I'm going to de-list my ~10 domains that are transfer-locked at Epik until I have the ability to move them out. Sadly I transferred them there recently to save a buck.
     
  16. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,205
    Likes Received:
    4,245
    Everyone gets hacked eventually, and MarkMonitor is no exception. Their situation wasn't as bad as Epik's appears to be, but it was still a blunder.

    We're just going to see more and more of these issues as time goes on.
     
    Last edited: Sep 15, 2021
  17. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    Last edited: Sep 15, 2021
  18. eternaldomains

    eternaldomains Established Member

    Posts:
    489
    Likes Received:
    330
    Wow, and this news is this month. To think someone had a chance to use coinbase to phish for bitcoins, or google to mess with everything.... ridiculous.
     
  19. br1ll1on

    br1ll1on Established Member

    Posts:
    197
    Likes Received:
    210
    you're right but nothing is more disappointing and annoying than their silence, this is where you alert your users and ensure they take measures to avoid further damages like losing their domains (I'm pretty sure not everyone using epik knows about this yet)
     
  20. Silentptnr

    Silentptnr Domains88.com VIP

    Posts:
    16,714
    Likes Received:
    48,271
     
  21. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,205
    Likes Received:
    4,245
    Given a large enough attack surface and a sufficient supply of nefarious individuals, someone somewhere will eventually find a reason to hack anything. Let the courts get to the bottom of that; there's no point in speculating.

    Otherwise, this is just going to turn into an unproductive flame war with one side claiming Epik had it coming and the other claiming it's a false flag operation, with both sides offering no evidence beyond a hunch.

    There appears to be a lot of data here, and it's going to take researchers quite a while to get through it all, myself included. All that's known thus far is that you should change your passwords. I know everyone is eager to point fingers, but we just don't have the information we need to come to educated conclusions yet.

    Perhaps, but right now they're probably stuck trying to lock everything down and figure out what happened. Most sites can be taken offline during incident response; registrars don't really have that luxury. I'm sure there are plenty of frustrated people running on nothing but caffeine and anxiety right now.

    Let's all learn from this: plan for breaches now; don't improvise as you go. Every website gets hacked. If you run a website and haven't already planned for that inevitability, now is the time to start so you're not fumbling in-the-moment.
     
  22. Lox

    Lox _____ VIP

    Posts:
    3,826
    Likes Received:
    7,018
    source twitter (old data - afternic lic)
    eaiiio.jpeg
     
  23. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    12,074
    Likes Received:
    10,958
    I'm sure 1000%, that all these technical aspects are absolutely secondary in EPIK FAIL story.
     
  24. tonyk2000

    tonyk2000 Top Contributor VIP ★★★★★★★★★★

    Posts:
    2,466
    Likes Received:
    4,418
    Epik might want to:

    1) Shut everything down in the meantime. The sky would not fall. Why? There is a possibility of unauthorized transfers away...

    2) Hire external security (server management, etc.) company and ASAP.

    3) Clean/upgrade/etc all the systems and restore the service with obligatory passwords change, as well as 2fa reset, after next login.

    4) Send email to all customers, but, for god's sake, without mentioning politics or anything similar.

    5) Since Epik earned a certain level of trust (not with all the domaining community, but it is irrelevant in this context) - the honesty would be the key to survive. Some members right in this thread support epik, some don't, some like it, some don't, but it should be obvious enough that "disappeared" domaining-friendly registrar would not benefit the industry as a whole in any aspect.
     
  25. eternaldomains

    eternaldomains Established Member

    Posts:
    489
    Likes Received:
    330
    Somehow, it's, like, impossible, for them to separate their announcements from politics without activating a death curse.
     

Want to reply or ask your own question?

It only takes a minute to sign up – and it's free!
Topics / Tags:
NameWorth
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...