alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Derek Peterson]

The Texas GOP website was defaced before the data became public, and I have reason to believe that the hacker did that using information that was in the database. I'm not aware of any other cases but there have been a number of high-profile hacks in the last few weeks and I haven't been keeping up with all of them. If any Epik employees happen to be lurking here I would highly recommend resetting the passwords for all hosting accounts (and all accounts for anything, for that matter)

I think oathkeepers is also hosted at Epik. Not sure Epik can even reset passwords or if it would even matter. The hackers probably still have access to live site.

 

[FiniteCrystal]

I think oathkeepers is also hosted at Epik. Not sure Epik can even reset passwords or if it would even matter. The hackers probably still have access to live site.

The wisest thing to do would be to shut down all their infrastructure and rebuild it from scratch, but as a domain registrar I'm not too sure they have the ability to do that. At the very least it would cause a mass panic and cause a huge influx of ICANN complaints.

I would also like to clarify that I intuitively suspect that the Oath Keepers hack was related to the Epik hack, but I cannot verify if or how that is the case.

 

[Derek Peterson]

The wisest thing to do would be to shut down all their infrastructure and rebuild it from scratch, but as a domain registrar I'm not too sure they have the ability to do that. At the very least it would cause a mass panic and cause a huge influx of ICANN complaints.

Yeah, They should at least partition things asap, at least so hosting account management is on some new server, shut down other services like vpn, and lock down all domains and then spend a year rebuilding. I see no other option either but even then I would never trust the guy.

 

[branding]

The wisest thing to do would be to shut down all their infrastructure and rebuild it from scratch, but as a domain registrar I'm not too sure they have the ability to do that. At the very least it would cause a mass panic and cause a huge influx of ICANN complaints.

I doubt they're able to do that. Let's not forget they purchased the current registrar code by acquiring a registrar, not by developing it. But yes, wipe the drives, shut it down and rebuilding from scratch would be wise. ICANN wouldn't like it though...

 

[branding]

I've seen people making reports of leaked sales data and that the marketplace isn't functioning as it should be. Anyone can confirm?

 

[FiniteCrystal]

I've seen people making reports of leaked sales data and that the marketplace isn't functioning as it should be. Anyone can confirm?

I do not currently have access to the databases, but one of the database dumps (epik_marketing) appears to be a snapshot of the main database for Epik's marketplace, and many tables in the registrar database appear to be related to aftermarket domain sales from various other marketplaces. It seems like Epik was collecting as much data as they possibly could, I'm sure that includes sales data. I don't know about the current state of the marketplace, but I certainly wouldn't trust it since I found evidence that Epik was collecting search requests, possibly for front running purposes.

 

[.X.]

I would think that it might be safe to do a complete damage assessment of how much total damage has been done to Epik in the sense of cost to repair or rebuild .. most carry insurance for such loss .. this provides the hacker is completely finished with the destruction at this time … Epik will come back better from all of this IMO

 

[Derek Peterson]

I do not currently have access to the databases, but one of the database dumps (epik_marketing) appears to be a snapshot of the main database for Epik's marketplace, and many tables in the registrar database appear to be related to aftermarket domain sales from various other marketplaces. It seems like Epik was collecting as much data as they possibly could, I'm sure that includes sales data. I don't know about the current state of the marketplace, but I certainly wouldn't trust it since I found evidence that Epik was collecting search requests, possibly for front running purposes.

good catch. I'm always afraid of searching for domains just for that reason. If true, competing with your customers on domain purchases is not a good look.

 

[jmcc]

Agree…

I've been looking at the domain name transactions and web types on Epik and it actually has a very high concentration of for-sale domain names. It has a classic domainer-friendly registrar profile.

The monthly crunch is still in progress. The three biggest DNS shifts in .COM seem to be portfolio shifts to DAN, Afternic and Bodis. The top two new gTLD shifts are to Afternic and DAN. These are DNS checks rather than registrar shifts. The registrar shifts will be in the ICANN reports published from January 2022 to April 2022.

Regards...jmcc

 

[br1ll1on]

Once again, we do not allow vague, personal accusations. Please do not make this thread political; those discussions are already taking place elsewhere, and it isn’t the purpose of this forum.

Yes, which would include Epik and the CEO and other folks who work for Epik. A big part of discussing the hack is commenting on how poor the security was/is at Epik and their response and their past track record. That all falls on one person Rob Monster. Rob Monster is a person, therefore responses are "personal". See how that works. This thread is about much more than a technical analysis of how some hackers were able to get onto a server. It is about people, mostly Rob Monster and the decisions he makes and his character and abilities.

you saying "He is used to bullying employees and family or people he has control over" has nothing to with the hack ,that's a personal accusation.

 

[Derek Peterson]

you saying "He is used to bullying employees and family or people he has control over" has nothing to with the hack ,that's a personal accusation.

I was referring to his response to the hack - his live stream hack response video, his threatening Paul (CTO here) with legal action, his threatening of me with legal action and hinting at worse when I revealed his fake VPN. You see when someone is a CEO of a company there personal actions and words matter.

 

[FiniteCrystal]

good catch. I'm always afraid of searching for domains just for that reason. If true, competing with your customers on domain purchases is not a good look.

They were also logging all cart operations in the registrar database. I cannot think of a reason to even build a system capable of doing that unless you're planning on doing something shady. Maybe sniping good domains for which the checkout process was not completed?

 

[br1ll1on]

I was referring to his response to the hack - his live stream hack response video, his threatening Paul (CTO here) with legal action, his threatening of me with legal action and hinting at worse when I revealed his fake VPN. You see when someone is a CEO of a company there personal actions and words matter.

And you or Paul happen to fall under this "employees and family or people he has control over" category?

 

[Derek Peterson]

And you or Paul happen to fall under this "employees and family or people he has control over" category?

Do you fall under this, "employees and family or people he has control over" category?

 

[FiniteCrystal]

People these days don't even understand what they're really voting for, believing that their publicly available WHOIS data was meant to be private. Attacking just 1 registrar when they should be attacking the registrars that they are using.

Epik had a bunch of email addresses that weren't scraped from whois, which they were apparently using for "marketing" purposes. Moreover, they shouldn't have been scraping public whois records, as their very own whois server says in the response footer...

All registrar data, including registrant WHOIS data, is provided for public, non-commerical use only. Any information made available by Epik Inc and its affiliate registrars shall not be collected, distributed or used for any commercial activity. Third parties to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts.

People have every right to be angry at Epik, especially if they weren't Epik customers.

 

[Tudor V]

Does anyone know if any websites hosted by Epik have been "hacked" as a result the Epik data hacks?

Since Epik's leaks, I've had suspicious logins on my Twitter, Steam, Ubisoft and some not so known platforms, also a phishing e-mail from "my bank" (they got the bank's name right tho) that I need to change my home banking password. No damage or modifications so far (due 2-FA i guess), also no modifications on the domain names.

What's ringing my bell, is that Paypal cut them like 2 years ago, and my bank called me last year to say that Epik LLC is not a trustful company and I should consider my on going transaction (luckily I used a virtual/disposable card). Apparently they knew something.

Always liked Epik, but Rob's attitude raised a lot of red flags in my head, his "god" references, narcissistic behavior, irrational rants and the lack of communication. Just transferred out all my domains, good bye Epik, and Rob, I hope you get your lesson out of this (you better start believe in your lawyers instead of Santa Claus).

 

[Derek Peterson]

Since Epik's leaks, I've had suspicious logins on my Twitter, Steam, Ubisoft and some not so known platforms, also a phishing e-mail from "my bank" (they got the bank's name right tho) that I need to change my home banking password. No damage or modifications so far (due 2-FA i guess), also no modifications on the domain names.

What's ringing my bell, is that Paypal cut them like 2 years ago, and my bank called me last year to say that Epik LLC is not a trustful company and I should consider my on going transaction (luckily I used a virtual/disposable card). Apparently they knew something.

Always liked Epik, but Rob's attitude raised a lot of red flags in my head, his "god" references, narcissistic behavior, irrational rants and the lack of communication. Just transferred out all my domains, good bye Epik, and Rob, I hope you get your lesson out of this (you better start believe in your lawyers instead of Santa Claus).

Do you use the same password on those other accounts? Were those logins part on epik data?

 

[Tudor V]

Do you use the same password on those other accounts? Were those logins part on epik data?

No, all of my passwords are different, like 95% of them, and also not even close one to each other. None of them are similar to my Epik password. I never had those alerts before, like ever, also corelating the events, there is no coincidence that those were part of the hack. The "leaked" virtual drive is at anyone's fingers to download (i won't detail this), there are 300GB of data that also contain plain-text passwords from login failures (MD5), and they could be easily run over a dynamic wordlist, is like 90% of the job done. Call me paranoid, but I'd change all of the passwords since Epik also collected data outside their platform (like, A LOT of it).

 

[FiniteCrystal]

there are 300GB of data that also contain plain-text passwords from login failures (MD5)

Epik was storing the login failures including client IP address, email, and password in plain text, not md5 hashes. The correct passwords were stored as unsalted md5 hashes, but mistyping your email address along with the correct password would cause your password to be stored as plaintext in the failed logins table. This means you can use the failed logins table as a dictionary for trivially cracking a large number of the correct passwords. Unsalted md5 hashes are not very secure in the first place, so they're not hard to crack unless the password is very long and complex.

Call me paranoid, but I'd change all of the passwords since Epik also collected data outside their platform (like, A LOT of it).

I agree with this. You should change your password for every account unless you're absolutely 100% positive that the password in question hasn't been compromised.

 

[Derek Peterson]

First, I would like to hear from Rob on the breach. I know some people here know him and talk to him personally. Anyone has an update?

Yes, Rob did actually reach out to Paul, the CTO of this site, directly via email. See attachments.

 

[koolishman]

Thanks @Derek Peterson

I realize the hack was political.

But lot of us customers have nothing to do with RW conspiracies. They find EPIK is easy to deal with and economic.

So, it is high time Rob replies here. Delayed response is seeding doubts in mind of customers.

Question to those who follow this story on social media. Did the hackers comment on putting lot of innocent people's data in public?

 

[tonyk2000]

my bank called me last year to say that Epik LLC is not a trustful company

It is very interesting. Never heard of banks doing this (if a company is set to accept credit cards - then one would guess that it is trustful enough for visa/mastercard/etc - and, accordingly, for the banks). I also receive calls from my bank on rare occasions, mostly after repeated transactions of any size (two equal $8.xx domain renewal transactions in a raw -> red flag, was it really me purchasing something twice?). Maybe you simply had a large or otherwise unusual transaction with this merchant, such as aftermarket purchase? Or, they indeed had something in their files... chargebacks from other customers maybe.. which may also be the reason of the call you mentioned.

 

[Derek Peterson]

Thanks @Derek Peterson

I realize the hack was political.

But lot of us customers have nothing to do with RW conspiracies. They find EPIK is easy to deal with and economic.

So, it is high time Rob replies here. Delayed response is seeding doubts in mind of customers.

Question to those who follow this story on social media. Did the hackers comment on putting lot of innocent people's data in public?

I have been following their posts closely on Twitter and elsewhere. Of course they are ecstatic about "exposing" epik customers and reveling in how badly they owned Epik and of course mocking epik's lack of security. Whether the hack was politically motivated or financially motivated the reality is that Epik security is awful and Rob's response has been equally bad. If you read back through the thread you will discover all the details of the hack but basically anything you can imagine the hackers getting, they got. Change all passwords, watch or cancel cards.

Here is a link to the 3 hour stream he did post hack to discuss. https://gorf.tube/w/9AzsTDjbQf43mvWcV8Xndt

 

[koolishman]

All the more reason for Rob to respond here.

Change all passwords, watch or cancel cards.

Done that once this story broke.

 

[DN Playbook]

The wisest thing to do would be to shut down all their infrastructure and rebuild it from scratch, but as a domain registrar I'm not too sure they have the ability to do that. At the very least it would cause a mass panic and cause a huge influx of ICANN complaints.

This would be a whopping financial hit to the registrar and require them to inform all customers to move their domains elsewhere. And it could take months to years to reboot their services on a new platform.

First, I would like to hear from Rob on the breach. I know some people here know him and talk to him personally. Anyone has an update?

It is apparent that he would like to but is following legal advice. He did a q and a session for about 3 to 4 hours that did not go so well. You can watch it on YouTube.

But lot of us customers have nothing to do with RW conspiracies. They find EPIK is easy to deal with and economic.

I think you mean RM conspiracies. This is a sad consequence of being a victim of the shrapnel coming off of the service provider.