alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[noneisnone]

i would guess epik was a safe haven for people living under oppressive regimes makes you wonder if this leak is gonna cost people their lives in the literal sense ? 12 year old videos in syria of someone protesting is enough to get him the death penalty imagine a leak that indicate you run an opposition website sheeesh..

 

[jmcc]

Interesting new development in the Epik hack:

Apparently Epik and Rob have been helping the Feds for several years.

Complying with court orders and subpoenas isn't exactly helping the Feds as such. It would, I think, be a legal requirement. Law enforcement agencies can make such requests under various pieces of legislation and a registrar in the US has to comply. Registrars in other jurisdictions would also have to comply with court orders in their jurisdictions. Perhaps some people with a greater knowledge of the US legal system can clarify the process for these requests/orders.

Regards...jmcc

 

[Derek Peterson]

i would guess epik was a safe haven for people living under oppressive regimes makes you wonder if this leak is gonna cost people their lives in the literal sense ? 12 year old videos in syria of someone protesting is enough to get him the death penalty imagine a leak that indicate you run an opposition website sheeesh..

Exactly, that is my real issue with this whole thing. Rob is terrible human that should not ever be trusted.

 

[Derek Peterson]

Complying with court orders and subpoenas isn't exactly helping the Feds as such. It would, I think, be a legal requirement. Law enforcement agencies can make such requests under various pieces of legislation and a registrar in the US has to comply. Registrars in other jurisdictions would also have to comply with court orders in their jurisdictions. Perhaps some people with a greater knowledge of the US legal system can clarify the process for these requests/orders.

Regards...jmcc

I know it pretty well, as I stated in my post those are examples of actions with subpoenas, allegedly there are many, many more with no subpoena, just Rob getting back at people he doesn't like. I figured he was doing that and that is why I left many years ago when I saw him for what he is.

 

[noneisnone]

@Derek Peterson i wouldn't go that far derek ^^ i personally like rob he was always super nice to me and helpful but that doesn't mean the breach never happened in my book or to shift the blame to someone else. epik made a huge mistake that will probably cost people more than money..

 

[Derek Peterson]

@Derek Peterson i wouldn't go that far derek ^^ i personally like rob he was always super nice to me and helpful but that doesn't mean the breach never happened in my book or to shift the blame to someone else. epik made a huge mistake that will probably cost people more than money..

yes, but Rob has history of this. years ago he was touting a VPN that he claimed to own and had total control of and assured everyone they would be perfectly secure using his service. he was lying, it was a white label product that he was simply reselling. I called him out for it because I was worried about his users and he responded by calling me names, threatening me with court actions and even "judgement day" for simply telling the truth. He doesn't care about others. Be a man, just because he was "nice to you" doesn't mean he is a good guy.

Edit by moderator: removed name calling and rule reminder sent.

 

[oldtimer]

What makes you think i am not participating? Because i dont post endlessly off topic. I have read it all gramps, i have forgotten more than you will ever remember. I will continue reading, and by thanking, liking or disliking, i will be able to participate without endless irrelevant posts. This is out of my control, i am taking care of what i can at this end. Thanks Rob for opening my eyes. May God bless you and all those you love Amen

You haven't contributed anything of value (or substance) that is relevant to these discussions.

It's not your job to judge if my posts are on topic or not.

If you believe that I have made an inappropriate post you can report it to the Mods and let them deal with it, but if you want to take it upon yourself to limit or curtail my right to participate in these discussions then it's your actions and posts that are going to be off topic and that are going to continue to interfere with the discussions in this thread.

You don't need to reply if you are going to infringe on my rights further by trying to limit my participation in this forum.

IMO

 

[Qc4]

CC data is a big puzzle in this story. The original PDF (a link in the beginning, 60+ pages ago) was of opinion that there are no CC details included in the "release". It was unclear whether the hackers deleted those from public release OR they never got them. Later, there were screenshots showing partial CC numbers (without CVC/CVV codes). So, what really happened?

It seems that the CC numbers were saved for logging suspicious and fraudulent transactions. It doesn't make sense to me why they need to store so much information about them (especially since their payment gateway likely has a copy of the data), but the data includes the first 4 digits and last 4 digits of the CC number, the expiration date, the CVV code, and the billing information about the user.

There is another location that contains CC numbers (first 6 digits and last 4 digits), but it seems to be InTrust data from before the Epik acquisition. The transactions are only from 2009 and 2010.

A third location contains full CC numbers, but there are only 16 of them, and they are also from around the same time period.

Speaking of logs, it seems like a huge waste for Epik to store so much information for logging purposes. One table I see has almost 35 million entries. Do they really need to keep detailed logs from over 11 years ago?

 

[johnn]

First - I think the topic here is:
Epik Had A Major Breach
We don't need to waste time to discuss how to help Epik or Rob.
If they don't know how to run a business except Spamming everywhere then they will be out of business. This apply to any business not just the Registrars.
Second - There are 2 types of hacking -
- Using DDOS which bring massive traffic to the site to take the site down (which is not in this case)
- Or going to the backdoor and download Customer Data and exposed them to the public or sell them to the black market. So the owner will not even know that the site is hacked until the hacker tells them.
The site is running OK does not mean it's not being hacked.
And a suggestion for someone who keep posting off-topic posts: You can go ahead and create a thread yourself and not coming here wasting time and confuse people.

 

[bmugford]

It seems that the CC numbers were saved for logging suspicious and fraudulent transactions. It doesn't make sense to me why they need to store so much information about them (especially since their payment gateway likely has a copy of the data), but the data includes the first 4 digits and last 4 digits of the CC number, the expiration date, the CVV code, and the billing information about the user.

There is another location that contains CC numbers (first 6 digits and last 4 digits), but it seems to be InTrust data from before the Epik acquisition. The transactions are only from 2009 and 2010.

A third location contains full CC numbers, but there are only 16 of them, and they are also from around the same time period.

Speaking of logs, it seems like a huge waste for Epik to store so much information for logging purposes. One table I see has almost 35 million entries. Do they really need to keep detailed logs from over 11 years ago?

Again, MAJOR violations when it comes to PCI compliance, especially related to the CVV codes.

https://twitter.com/x/status/1439311347573932033

 

[Future Sensors]

https://twitter.com/x/status/1441280427860234247

 

[DN Playbook]

Proof? Is the site still up and running ? is the site doing business ? you want pertinent information that Epik cant share at this time... remember ... Investigations are ongoing ... do you have any reports of the data being used for criminal activity ?? CC use or ect ?? None have been reported that i have seen as of right now

Check your email if you are a Epik customer ... They said they are working on the exploits

I don't need to provide any damn evidence to say that Epik is doing fine and under the circumstances Rob is doing great

So your proof is that the site is up and running and it is accepting new customers and they are "working on it" and you "don't need to provide any damn evidence". Thanks for the news flash, sherlock. Wow everyone can go back to their business, nothing to see here folks. Sheesh.

The hackers didn't crash the site. They downloaded a searchable database of private data. People's lives have already been affected according to investigative reports.

 

[Derek Peterson]

I have already heard of several people losing their jobs because of this EPIK Hack. Is a class action lawsuit against this Rob Monster, or EPIK possible? Assuming this hack wasn't an inside job, which I believe it was.

 

[Beezy]

Does the carcass of Epik (and their customers) end up with Godaddy or Web.com in the end, i wonder.

 

[Embrand]

yes, but Rob has history of this. years ago he was touting a VPN that he claimed to own and had total control of and assured everyone they would be perfectly secure using his service. he was lying, it was a white label product that he was simply reselling. I called him out for it because I was worried about his users and he responded by calling me names, threatening me with court actions and even "judgement day" for simply telling the truth. He is a psychopath, he doesn't care about others. Be a man, just because he was "nice to you" doesn't mean he is a good guy. Weak, very weak you are.

Rob's TrustRatings (https://trustratings.com) also just copied the code from the huge review company TrustPilot (https://trustpilot.com), which I mentioned on NP several years ago and got me into a huge fight with him.

By the way, Epik still gets great reviews on TrustRatings: https://trustratings.com/epik.com. Strangely, nearly all reviewers have done just that one review...

I cannot condone hacking, but there is something not right about Robert Monster. And as expected, it all came crashing down.

 

[karmaco]

I have already heard of several people losing their jobs because of this EPIK Hack. Is a class action lawsuit against this Rob Monster, or EPIK possible? Assuming this hack wasn't an inside job, which I believe it was.

who lost their jobs?

 

[Derek Peterson]

who lost their jobs?

https://www.washingtonpost.com/technology/2021/09/25/epik-hack-fallout/

https://www.washingtonpost.com/technology/2021/09/25/epik-hack-fallout/

It is only just starting. It will be thousands.

 

[NicTraders]

Epik just released the full details of 100,000 people, many of whom are in vulnerable positions, some even life threatening.

It would be better if you kept your posts factual. Epik did not release these details. Anonymous release the details. Yes, Epik left the details vulnerable, no doubt, but they did not release them at all. It's pretty clear you have rather a vendetta against Rob. That's up to you, but your contribution to this thread might be more valuable if you'd leave some of the personal remarks about him out of this.

 

[eternaldomains]

I would be surprised if these credit card companies did not pull their services.

This appears to be such an egregious violation of pci compliance rules.

PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.

Isn't this something that many registrars do? That "save your credit card for easier future transactions"? Good thing I don't use Porkbun anymore, they force you to to have at least 1 saved and if removal is wanted, you have to contact them. Aren't almost all registrars considered as violators of this rule?

 

[bmugford]

Isn't this something that many registrars do? That "save your credit card for easier future transactions"? Good thing I don't use Porkbun anymore, they force you to to have at least 1 saved and if removal is wanted, you have to contact them. Aren't almost all registrars considered as violators of this rule?

Saving your credit card information is not necessarily a violation. Many websites do it.

Epik's issue is a combination of things. The info was saved in a non-secure manner, with numbers, names, expirations, cvv, billing info.

But the big issue is the storage of CVV codes. It is an absolute no-no when it comes to PCI compliance.

First of all companies are not required to use a CVV code to bill a credit card. They often use it as a security measure against fraud and because it generally results in lower transaction fees.

Many companies will require the CVV code the first time, as a security measure to mitigate risk.

However, it is absolutely not allowed to store this information, which is something Epik was apparently doing.

What are the PCI compliance rules for CVV storage?

“(3.2.2.) Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after payment processing authorization is complete.”