alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[bmugford]

Bloody Hell! It is going to be difficult for Epik to deal with the fallout from this and there's an ICANN meeting coming up next month.

Regards...jmcc

I am still wondering about the ID documents. Were these stored on their normal server, or something more secure? What about other information they might have relating to bank accounts (ACH), etc.

This level of data breach is almost unprecedented.

Brad

 

[Future Sensors]

In addition to prayers and ongoing forensics, it is imperative that at some point you can rely on the compromised systems again. In general, the urgent advice is to shut down and largely rebuild the compromised systems, but not every company is willing or able to do so. I wish Epik wisdom and strength for the coming period, when they need to restore both systems and the perception of the company.

https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server

 

[Derek Peterson]

I am still wondering about the ID documents. Were these stored on their normal server, or something more secure? What about other information they might have relating to bank accounts (ACH), etc.

This level of data breach is almost unprecedented.

Brad

i think it is very safe to assume, and you should assume, that they are on the same server and not secure. Amazing to me that The Monster hasn't come out with a list of items compromised.

 

[bmugford]

i think it is very safe to assume, and you should assume, that they are on the same server and not secure. Amazing to me that The Monster hasn't come out with a list of items compromised.

I think it is highly likely they didn't know, now with an image of the entire server it is pretty easy to know what it included - everything on the server.

Brad

 

[Derek Peterson]

I think it is highly likely they didn't know, now with an entire image of the server it is pretty easy to know what it included - everything on the server.

Brad

LOL, yeah, exactly. Easier to make list of what wasn't compromised.

 

[Jona4s]

In addition to prayers and ongoing forensics, it is imperative that at some point you can rely on the compromised systems again. In general, the urgent advice is to shut down and largely rebuild the compromised systems, but not every company is willing or able to do so. I wish Epik wisdom and strength for the coming period, when they need to restore both systems and the perception of the company.

https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server

If by their "system" you mean the zend (php) code. No matter how many times they rebuild it or harden it, zend is zend garbage, it's an interpreted language for developers who don't know how to compile and disassemble binaries to find vulnerabilities.

I mean look at this stuff.

$context = null;
if ($this->isHost('XXDDD.epik.com'))
{
$username = 'XDD';
$password = 'XDDDD';
$context = stream_context_create(array (
'http' => array (
'header' => 'Authorization: Basic ' . base64_encode("$username:$password")
)
));
}

 

[Future Sensors]

If by their "system" you mean the zend (php) code. No matter how many times they rebuild it or harden it, zend is zend garbage, it's an interpreted language for developers who don't know how to compile and disassemble binaries to find vulnerabilities.

It's broader than that. At this point, after successful intrusions, you basically can't really trust anything anymore. Not even the backups, which could normally help you get back to a reliable / trusted situation.

 

[jmcc]

I am still wondering about the ID documents. Were these stored on their normal server, or something more secure? What about other information they might have like bank accounts (ACH), etc.

I'm going on the commentary from Twitter and elsewhere. The ID documents are a major problem (among a lot). Multiple servers are exposed and it is possible that the ID documents could be there unless they've been deleted from the leak. The one thing that has slowed down analysis and dissemination of the first leak is a lack of domain industry knowledge.Not only do those doing the analysis have to understand the structure of Epik's databases and data, (some very good analysis has been posted on Twitter about this) they have to understand how it is used and the purposes for which it is used. Reverse-engineering is more difficult than ordinary engineering because it is necessary to work out why some decisions were made and what they are intended to achieve.

This level of data breach is almost unprecedented.

For a registrar, it is a very serious problem. That Domaintools link above should be accurate on the changes. Some portfolio operators may be the first to move.

Regards...jmcc

 

[Bertrell]

most of my personal and most valuable domains are kept at Cloudflare now, just because security is their focus

Ditto.

 

[Derek Peterson]

Brings a tear to the eye.

This one's gonna hurt.

Boring. Still waiting to see revelation of real crimes and fed honeypot.

 

[FernandoBMS]

context for ASCII art: the person seen in the now famous Robert Monster's Q&A/prayer meeting with a swastika tattoo on his chest was the most prominent member of the hacker collective "Goatse Security".

 

[DN Playbook]

It boggles the mind that Epik hasn't even made an attempt to get ahead of the ball and at least present a strong pr front in an attempt to regain or preserve some level of confidence. Especially with the fans they have here and elsewhere who would jump at the opportunity to praise and magnify those efforts.

context for ASCII art: the person seen in the now famous Robert Monster's Q&A/prayer meeting with a swastika tattoo on his chest was the most prominent member of the hacker collective "Goatse Security".

Rob sent his love to him. Anyone know if this person or the group was in any way involved on the security side of Epik?

 

[bmugford]

It boggles the mind that Epik hasn't even made an attempt to get ahead of the ball and at least present a strong pr front in an attempt to regain or preserve some level of confidence. Especially with the fans they have here and elsewhere who would jump at the opportunity to praise and magnify those efforts.

I agree, but what are they really going to say?

Instead of getting ahead of the ball they are getting hit with a wrecking ball that exposed their lax security. I am not sure there is really any way to spin that in a positive way.

Brad

 

[Derek Peterson]

It boggles the mind that Epik hasn't even made an attempt to get ahead of the ball and at least present a strong pr front in an attempt to regain or preserve some level of confidence. Especially with the fans they have here and elsewhere who would jump at the opportunity to praise and magnify those efforts.



Rob sent his love to him. Anyone know if this person or the group was in any way involved on the security side of Epik?

No, I seriously doubt they hired Weev and Monster acted like he didn't know him during the call so again, highly doubt Weev ever worked for EPIK BUT this Robert David is VP and a "cryptologist expert" and he glows brighter than Fukushima.

 

[noneisnone]

@DN Playbook not to pile on here you guys are doing enough ^^ but i don't think anyone involved in cyber security or anything tech related is gonna claim epik as his employer it would deduct from his years of experience and probably never be able to find a job again

the real question here is can it get any worst ? the whole server was leaked the fok

 

[noneisnone]

the real question what changed at first we were told only a percentage of the users info was leaked now we find out the whole server ?

 

[Derek Peterson]

@DN Playbook not to pile on here you guys are doing enough ^^ but i don't think anyone involved in cyber security or anything tech related is gonna claim epik as his employer it would deduct from his years of experience and probably never be able to find a job again

the real question here is can it get any worst ? the whole server was leaked the fok

We haven't heard anything about the web hosting side of things. I'm sure all those server logins are probably in data as well. All their hosting customers sites are probably getting hacked as we speak. EPIK also has an email service, probably also compromised 100%.

 

[bmugford]

the real question what changed at first we were told only a percentage of the users info was leaked now we find out the whole server ?

Well, there are really only two possible options -

1.) They didn't know the extent.
2.) They did know the extent and mislead/lied.

Neither option is that reassuring.

Brad

 

[noneisnone]

@bmugford from the epik side of things they seem to downplay the situation but am asking from the hackers/reporters perspective from what i know the data was made public was there another dump that was released ?

 

[bmugford]

@bmugford from the epik side of things they seem to downplay the situation but am asking from the hackers/reporters perspective from what i know the data was made public was there another dump that was released ?

Yes, earlier today.

New leak of Epik data exposes company’s entire server

https://www.dailydot.com/debug/anonymous-new-epik-leak/

WhiskeyNeon, a Texas-based hacker and cybersecurity expert who reviewed the file structure of the leak, told the Daily Dot how the disk images represented Epik’s entire server infrastructure.

“Files are one thing, but a virtual machine disk image allows you to boot up the company’s entire server on your own,” he said. “We usually see breaches with database dumps, documents, configuration files, etc. In this case, we are talking about the entire server image, with all the programs and files required to host the application it is serving.”

The data includes API keys and plaintext login credentials for not only Epik’s system but for Coinbase, PayPal, and the company’s Twitter account.