alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[johnn]

Too many questions:
If the house is on fire should I come in?

 

[Paul]

Some credit cards offer a virtual / one time credit card number that ties to your account. You use it once and then it's no longer any good. You might want to see if any of your cards offer it.

This is the approach I tend to use. Just be careful to avoid developing a false sense of security if you go that route; you still need to monitor for suspicious charges and rotate out the numbers if they're compromised.

READING NOW:

https://techcrunch.com/2021/09/17/epik-website-bug-hacked

Web host Epik was warned of critical security flaw weeks before it was hacked.

Notable:

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. [...] LinkedIn showed Monster had read the message but did not respond.

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”

That's strike two. I had a similar experience in which Rob didn't respond when I reported a vulnerability, despite him being the one to initiate communication. The LinkedIn spam excuse certainly doesn't apply there.

I prefer to assume good faith, but my supply of optimism is quickly depleting.

 

[bmugford]

Notable:

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. [...] LinkedIn showed Monster had read the message but did not respond.

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”

That's strike two. I had a similar experience in which Rob didn't respond when I reported a vulnerability, despite him being the one to initiate communication. The LinkedIn spam excuse certainly doesn't apply there.

I prefer to assume good faith, but my supply of optimism is quickly depleting.

Not looking good.

I am starting to wonder if Epik even knows themselves what was compromised and how it was compromised. That makes this whole thing even worse.

If they don't know, how can they possibly fix it?

Brad

 

[Wesley S]

Too many questions:
If the house is on fire should I come in?

fire?? Rocking. lol.

 

[blockhead]

Kinda feels like Epik [halfheartedly] relies on their bug bounty program rather than invest in true security professionals, to keep costs down.

 

[Wesley S]

Kinda feels like Epik [halfheartedly] relies on their bug bounty program rather than invest in true security professionals, to keep costs down.

with bug bounty, you should already have the best hacker in the world on your payroll, then see who out there can beat it. lol.

 

[Jurgen Wolf]

How they plan to compensate all these adventures for us OR no any compensation and just another $6.99 ad???

 

[TauseefKhan]

It is indeed a worrisome news for all of us. I hope it gets resolved.

before posting this - I did a little research on how some entity can become an ICANN accredited domain registrar. And, I found ICANN REGISTRAR ACCREDITATION APPLICATION FORM in which section or serial 24 deals with security aspects of domain registrar: For example it says "please attach evidence of an International Organization for Standardization (ISO) 27001 Certification demonstrating effective security controls for the services to be provided by the registrar. An accredited third party must award the certification. If the ISO 27001 Certification has been awarded for a service or process equivalent in complexity to the proposed registrar's services, the applicant must explain the equivalence and make an assertion that it will use the same security controls in the registrar's services. And, so on

My point is that we trust bank with our money because banks are protected by federal or reserve banks. Similarly, domain registrar should also get the same protection from the body that has given them the authority to carry such a business. After all domain is more than money. It's serious business for many companies. Imagine big giants losing a domain for even a second will cost them millions.

Domain investors are effected by this - but importantly many businesses also gets effected because of lost emails, domain hacks and so on if the registrar faces a major attack.

So, I think there has to be some more stringent ICANN policies and compliance's to make sure that in such a scenario of attack/hacks the domain registrants domains are safe.

Safe in the sense that they are not easily transferred out nor easily pushed to another account at the same registrar paving way for an easy transfer out.

There must be rules and policies from ICANN governing such a scenario for the safety of endusers.

After all domain registrants also pay a small amount to ICANN as a fee during checkout.

 

[Paul]

Kinda feels like Epik [halfheartedly] relies on their bug bounty program rather than invest in true security professionals, to keep costs down.

Bug bounty programs are quite effective, actually, but they usually need to be live for more than a day to work their magic.

 

[dirk]

Not sure what their agenda is but it sure isn't your safety.

Rob mentioned on twitter they're using over a decade old coding, originating from Russia... Supposedly planned to update. may explain the weak hashing.

 

[Jurgen Wolf]

Estibot is also in Russian hands.

 

[Paul]

Rob mentioned on twitter they're using over a decade old coding, originating from Russia... Supposedly planned to update. may explain the weak hashing.

Usually, when you acquire or maintain untrusted code, best practice would be to isolate it from the rest of your infrastructure so that an attacker can't pivot laterally if they compromise it. If their claim is true, one of their first steps forward will likely be to implement such isolation, since it's usually one of the easier improvements that can be made.

For any other companies watching for the sidelines, that's worth noting. You don't want an attacker to be able to use your old, neglected WHOIS server as a foothold.

 

[Jurgen Wolf]

And what innovations there???
Even control panel is the same as it was many years ago and designed for legacy resolutions/screens.

 

[eternaldomains]

Now that I think of it, @Rob Monster it's better that you separate the registrar into 2 registrars; the main 1 for end users, the other 1 strictly for domainers (and of course using a different name). If those whatever hackers wanna whack again, chances are they'll only bother the one with hosted crap.

 

[eternaldomains]

Rob mentioned on twitter they're using over a decade old coding, originating from Russia... Supposedly planned to update. may explain the weak hashing.

Took them too long for this. It's as expected just like what I said earlier in this thread: they focused too much on "innovations" (aka expansion/acquisitions etc) instead of focusing on the most important things.

There was a comic I read some time ago (yes I know, horrible source, but still.... surprisingly relevant) saying that it's simply easier to just buy tech from another company as part of "innovation" instead of actually trying to improve on their own.

To me that's just a lazy way to do things, and that laziness will surely bite you back eventually (like now). This is the 2nd time I see Epik being lazy on the dev side. 1st mention was their "responsive" design causing icons/images to look distorted. Did that one got fixed yet?

 

[Lox]

September 16, 2021 - 30min - Steven Monacelli conversation with CEO of Epik Robert Monster

 

[bmugford]

September 16, 2021 - 30min - Steven Monacelli conversation with CEO of Epik Robert Monster

I am still watching it, but very interesting so far...

This is a serious issue about doxxing.

Rob Monster to the other person -

"How much cocaine did you do today..."

"I think if you were an honorable guy, the site would come down..."

Real professional.

Here is some free advice - when you are in a hole, stop digging.

Brad

 

[Paul]

Rob Monster to the other person - "How much cocaine did you do today..."

Are you sure he wasn't just reading the message that was written in chat?

 

[April004]

Someone here posted Epik has 37 members here worked for them. Cutting the corner by hiring cheap employees is not good business along with other inadequate security measures like store data in plain text.

with just 500,000+ domain registrations in total up till now, how much might Epik be paying for 37 employees?
There were few domain-sales in aftermarket!

 

[Wesley S]

Is Rob Epik.com? Is epik.com Rob? Why is it epik.com to begin with? If it was personal identifying business then it wouldve been Rob.com or Monster.com, he named it, epik.com is doing business as usual, what should be asked is why they are attacking the person instead of the company. The company is a registrar, not a personal individual living their life on earth the best way they know how, with likes, dislikes, dreams, aspirations, realizations. Keep the stuff on the field, not as a disease. ty.

It was a personal attack and they changed the shield to suit their evil plan, instead of what it was standing for and good to begin with. Im glad Rob was transparent and interacting with domainers. Who wants a king that distance themselves from the people to begin with?