alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[tonyk2000]

In the DM to Paul, which was published here earlier, Rob was opinion that "The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit".

I am curious what, if any, the answer would be. Will Epik sue somebody (so it would become public - such things are always public). If you know who did this - why not, evil should be punished...

 

[Derek Peterson]

In the DM to Paul, which was published here earlier, Rob was opinion that "The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit".

I am curious what, if any, the answer would be. Will Epik sue somebody (so it would become public - such things are always public). If you know who did this - why not, evil should be punished...

So far the only Rob has threatened to sue is all of us posting here. I doubt they know exactly did the hack, they might know group but not individual and even if he did know and file criminal charges or sue them what good does that do all the customers he hurt with poor security? Also, as someone who knows him personally, you would be wise not to believe what he says.

 

[carob]

Just a suggestion for people changing email addresses - you can create a unique email for each website or service provider. There are pros and cons to this - others may want to comment.

Using a domain you own or control, create a catchall email address on your domain. Then any email address you create on the fly will come to that domain's chosen inbox, so for example epikresignup2021@my domain.com goes to [email protected]. Quick and easy, and you can then easily create email filters, and if one was a throwaway address that gets spam, filter it straight to trash. And now you know who sold, shared or did not protect your email address when stuff comes in that is not from the place you created it for, such as [email protected].

A couple of cons: to email to some services, they require you to send from the email corresponding to your account, so sometimes when asked to you may have to create a sending facility for one of your unique receiving addresses, or (temporarily) change the email at that service account to one you can send on. The other con is not being able to remember at once what email address corresponds to what service, but there are ways round that.

https://haveibeenpwned.com/ will also let you check if all email addresses on a domain have been compromised in a single check.

Some email providers let you create aliases, ie variations of your email to avoid giving the actual email address out - here's a bit about gmail, for example: https://www.lifewire.com/create-gmail-alias-4580315

 

[tonyk2000]

Using a domain you own or control, create a catchall email address on your domain

I'd add. If you used an own domain with Epik for (leaked) email - it might be better to start using a brand new domain name now (or, at least, a domain not presenting in Epik pwned db) with the scheme explained above, to be on a safe side.

 

[DN Playbook]

Just a suggestion for people changing email addresses - you can create a unique email for each website or service provider. There are pros and cons to this - others may want to comment.

Using a domain you own or control, create a catchall email address on your domain. Then any email address you create on the fly will come to that domain's chosen inbox, so for example epikresignup2021@my domain.com goes to [email protected]. Quick and easy, and you can then easily create email filters, and if one was a throwaway address that gets spam, filter it straight to trash. And now you know who sold, shared or did not protect your email address when stuff comes in that is not from the place you created it for, such as [email protected].

A couple of cons: to email to some services, they require you to send from the email corresponding to your account, so sometimes when asked to you may have to create a sending facility for one of your unique receiving addresses, or (temporarily) change the email at that service account to one you can send on. The other con is not being able to remember at once what email address corresponds to what service, but there are ways round that.

https://haveibeenpwned.com/ will also let you check if all email addresses on a domain have been compromised in a single check.

Some email providers let you create aliases, ie variations of your email to avoid giving the actual email address out - here's a bit about gmail, for example: https://www.lifewire.com/create-gmail-alias-4580315

Just trying to follow the logic. Please help me. Why not just have an email for your domain contact info and change the password? Why the need to have a unique email for each service provider?

 

[tonyk2000]

Why the need to have a unique email for each service provider?

Another service provider may also be hacked tomorrow. In this case, there would be no need to replace emails in all other places, just the 1 affected.

Also, if you have an unique account email - then you should not expect to receive any other emails, except ones from this service provider. Somebody else emailed? A red flag.

 

[bmugford]

Just a suggestion for people changing email addresses - you can create a unique email for each website or service provider. There are pros and cons to this - others may want to comment.

Using a domain you own or control, create a catchall email address on your domain. Then any email address you create on the fly will come to that domain's chosen inbox, so for example epikresignup2021@my domain.com goes to [email protected]. Quick and easy, and you can then easily create email filters, and if one was a throwaway address that gets spam, filter it straight to trash. And now you know who sold, shared or did not protect your email address when stuff comes in that is not from the place you created it for, such as [email protected].

A couple of cons: to email to some services, they require you to send from the email corresponding to your account, so sometimes when asked to you may have to create a sending facility for one of your unique receiving addresses, or (temporarily) change the email at that service account to one you can send on. The other con is not being able to remember at once what email address corresponds to what service, but there are ways round that.

https://haveibeenpwned.com/ will also let you check if all email addresses on a domain have been compromised in a single check.

Some email providers let you create aliases, ie variations of your email to avoid giving the actual email address out - here's a bit about gmail, for example: https://www.lifewire.com/create-gmail-alias-4580315

The problem is really this is just not that feasible. People might use 50-100 different websites with logins, or more. What are you going to have a different email for each one?

It sounds great in theory but is a real pain the ass in practice.

Brad

 

[tonyk2000]

What are you going to have a different email for each one?

Yes

a real pain the ass in practice.

No. You still check 1 inbox. Or, if different mail logins are involved - an imap client would help (no need to login to a bunch of webmail accts). IMAP will decrease the security though (no 2FA by design).

 

[bmugford]

Yes

No. You still check 1 inbox. Or, if different mail logins are involved - an imap client would help (no need to login to a bunch of webmail accts). IMAP will decrease the security though (no 2FA by design).

The better option would be if Epik just secured their customer's data properly, and did not unleash this clusterfuck on everyone with no recent or useful updates.

This response by Rob/Epik is a tutorial in what not to do in a crisis.

Brad

 

[DN Playbook]

Another service provider may also be hacked tomorrow. In this case, there would be no need to replace emails in all other places, just the 1 affected.

Also, if you have an unique account email - then you should not expect any other emails in this inbox, except ones from this service provider. Somebody else emailed? A red flag.

Well, whatever works for you. I can see having different emails for different businesses. And I am not sure whether you are speaking from the position of the emails being hosted at the registrar. I never host emails at the registrar. It seems much simpler to change the password. At some point you can expect to get spam to any email you use as a contact email. Just seems like a lot of work.

 

[FiniteCrystal]

Just trying to follow the logic. Please help me. Why not just have an email for your domain contact info and change the password? Why the need to have a unique email for each service provider?

Using a unique email alias for each website is actually pretty useful for keeping your inbox tidy. If you start receiving spam in your inbox, you can easily determine who was responsible for selling/leaking your email address, and configure your mail server to automatically send all messages for that alias to your Junk folder or discard them. That being said, I don't see any major security benefit as long as you're practicing good password hygiene. Your email address is not supposed to be a sensitive security secret.

A couple of cons: to email to some services, they require you to send from the email corresponding to your account, so sometimes when asked to you may have to create a sending facility for one of your unique receiving addresses, or (temporarily) change the email at that service account to one you can send on. The other con is not being able to remember at once what email address corresponds to what service, but there are ways round that.

This is easy to work around, just configure your mail server to allow your SMTP account to send messages from aliases and configure your email client to use the alias as an alternate sender identity for your account. Your mail client should even be able to automatically select the correct address when you click the reply button. No need to remember the email aliases if your password manager remembers.

It sounds great in theory but is a real pain the ass in practice.

It's not if you configure your mail server properly. I've been doing it for years.

 

[DN Playbook]

This response by Rob/Epik is a tutorial in what not to do in a crisis.

The more time that passes without response, the more it appears that this is due to legal advice given to RM/E by lawyers that if they make public statements those may be used against them in any possible legal proceedings. And this may be a real possibility. If anyone has any input regarding this or a counter point please let know.

 

[tonyk2000]

One of the best NP discussions how to setup and securely manage mailboxes on own domain, with some good technical details including recommendations from Paul, happens to be located in Insiders Lounge, as it was started by a member discussing his specific issue. Just in case, the link:
https://www.namepros.com/posts/7513413/

(the link may or may not work depending on NP membership level afaik, as insiders lounge is not a public forum)

 

[oldtimer]

Wouldn't using too many aliases on a domain name for email put you in the same category and class as the spammers as far as the spam filters are concerned.

 

[.X.]

The better option would be if Epik just secured their customer's data properly, and did not unleash this clusterfuck on everyone with no recent or useful updates.

This response by Rob/Epik is a tutorial in what not to do in a crisis.

Brad

better options are good … the best solution would be if people didn’t break into to peoples property and steal their stuff ..

 

[tonyk2000]

as spamers.

nobody is in position to classify it as such, or to classify internal mailing scheme at all

 

[DN Playbook]

better options are good … the best solution would be if people didn’t break into to peoples property and steal their stuff ..

Absolutely. Unfortunately, if you do any work online or provide a service, the reality is that you will be inundated with spam and hack attempts. It is very frustrating. And security has to be priority number 1.

 

[FiniteCrystal]

The more time that passes without response, the more I am convinced that this is due to legal advice given to RM/E by lawyers that if they make public comments those may be used against them in any possible legal proceedings. And this may be a real possibility. If anyone has any input regarding this or a counter point please let know.

I agree. After that disaster of a Jitsi meeting a couple weeks ago I'm sure Epik's lawyers told Rob to keep his mouth shut. I'm pretty sure he mentioned at some point that they advised him to not even do that meeting. Of course, their silence makes them look absolutely terrible. The fact that their marketing materials boast about how great their security is and their actual security is clearly trash really rubs salt in the wound too. Truthfully it seems like they're in big PR trouble if they don't start talking, but they could be in big legal trouble if they do.

 

[FiniteCrystal]

Wouldn't using too many aliases on a domain name for email put you in the same category and class as the spammers as far as the spam filters are concerned.

No, that's not how email works. The routing of messages from alias to inbox is done on your mail server, the SMTP server that sent the message has nothing to do with it. Naturally you might run into issues if you abuse your own outgoing SMTP service, but that'll happen no matter what. For the average user, you shouldn't have to send an email from one of your aliases very often, so I really doubt it'll become an issue.

 

[oldtimer]

Truthfully it seems like they're in big PR trouble if they don't start talking, but they could be in big legal trouble if they do.

It might be better for Rob to let his lawyer talk on his behalf and issue press releases.

IMO

 

[bmugford]

It might be better for Rob to let his lawyer talk on his behalf and issue press releases.

IMO

Someone needs to say something. The first hack was exposed over (2) weeks ago now with no major updates. Customers (and unrelated 3rd parties involved in the breach) are still largely in the dark.

Brad

 

[FiniteCrystal]

It might be better for Rob to let his lawyer talk on his behalf and issue press releases.

IMO

At this point, what Epik needs is a crack team of cyber security experts, lawyers, and PR people working together on their press releases. lol

Seriously though, I can't think of any way they could spin this that doesn't look really bad, other than to pretend it didn't happen, which also looks really bad.

 

[oldtimer]

Someone needs to say something. The first hack was exposed over (2) weeks ago now with no major updates. Customers (and unrelated 3rd parties involved in the breach) are still largely in the dark.

Brad

rightly or wrongly it seems that so far Rob is seeing this situation mostly through the political lens. At this point in time It might be a good idea for him to let his lawyer or someone else at the company address the current problems and any solutions that they might have come up with from the business and PR point of view.

IMO

 

[oldtimer]

No, that's not how email works. The routing of messages from alias to inbox is done on your mail server, the SMTP server that sent the message has nothing to do with it. Naturally you might run into issues if you abuse your own outgoing SMTP service, but that'll happen no matter what. For the average user, you shouldn't have to send an email from one of your aliases very often, so I really doubt it'll become an issue.

You might be right, but I personally don't like to use aliases. I use my main email for everything as I believe that it has more credibility and authority.

IMO

 

[FiniteCrystal]

You might be right, but I personally don't like to use aliases. I use my main email for everything as I believe that it has more credibility and authority.

IMO

If that makes you happy, great! Most automated systems simply don't care what email address you use, as long as it has working SMTP service and you have access to the corresponding inbox. I might as well make use of my domain to make it easier to track and eliminate junk.