alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[mr-x]

Nope. Please don't try to put words into my mouth.

I feel for the customers who are dealing with this hack and lack of information and guidance from Epik. I have an Epik account from many years ago, so at least some of my information was likely included in the data breach as well.

Brad

Some people are clearly enjoying Epik's problems.

 

[Jurgen Wolf]

Looks that we are in the beginning of Epik's end...

 

[Jurgen Wolf]

Some people are clearly enjoying Epik's problems.

These people are healthy.
Instead another part is described here: https://en.wikipedia.org/wiki/Stockholm_syndrome

 

[Rob Monster]

There was a EPP maintenance during the last hour. It is finished.

Should be all systems go. Engineers are working very hard to audit and secure all facets.

Updates will follow, including an official email this evening.

 

[xyo]

Well, this is in total a complete clusterf***.

Always liked that Epik/Rob didn't go with nowadays attitude to cancel anything that is not 100% woke and PC, eventhough that made them a lot of enemies proclaiming them as "far-right" etc.

After first learing about this breach, I didn't panic and wanted to wait for actual facts to be published.
Now it's been at least five days since all that data has been publicly released by the hackers for anyone on the internet to be accessed freely.

Currently I'm not sure what troubles me the most: The fact that a breach of this kind was possible or their reaction up until now.

Actual information about what data has been breaced should have been communicated directly to all customers so that they are fully aware all of all information that now is more or less publicly available to anyone.

All in all, I'm not yet sure what I'll do myself, but imho their reaction (or absence of it) until now hasn't made things better

 

[Jurgen Wolf]

Yes, it is rocket science to place Maintenance banner in Control Panel...

 

[Corey]

Thanks @Rob Monster for the update.
Epik is my Number 1 Registrar, due to the First Class customer service & price.
#LoveYourWork.

Cheers
Corey

 

[Rob Monster]

Thanks @Rob Monster for the update.
Epik is my Number 1 Registrar, due to the First Class customer service & price.
#LoveYourWork.

Cheers
Corey

Thanks. Appreciate the support.

It has been all-hands on deck all week with many staff working through the night

Stay well and God bless.

 

[Samer]

Thanks. Appreciate the support.

It has been all-hands on deck all week with many staff working through the night

Stay well and God bless.

Thanks @Rob Monster

Once again, post indicates, following thread.

Please, keep “fighting” on. (self-defense;
you are under attack; thank you again posting.

Samer

 

[Jurgen Wolf]

Federated Identity. That product is going to be rebranded soon, it’ll be called Valido.com

When I see it - the only one emotion: Validol
Popular name of https://en.wikipedia.org/wiki/Menthyl_isovalerate

 

[MasterOfMyDomains]

You can transfer back to losing registrar anytime, within 60 days or is it 45?. Correct me if i am wrong. Thanks for the reassuring words rob, looking forward to official email this evening, and some facts. Did you hire joey to razz that lady?

Personally, I'm going to de-list my ~10 domains that are transfer-locked at Epik until I have the ability to move them out. Sadly I transferred them there recently to save a buck.

 

[labrocca]

I've been in Rob's shoes before. My user table on a few hundred thousand members was breached and downloaded. A full password reset might be necessary but you should only do that AFTER you are 100% sure of what happened and have secured the site. Worse thing to do is PW resets then find out that you are breached again. As long as the PW's are salted and of certain difficulty they will mostly be hard to break. As a standard everyone should use 12 characters min (upper, lower, digits, and special chars).

I'm gonna assume they are going nuts securing everything and making the changes needed. Has anyone yet lost a domain? If not, then don't panic. This imho will make Epik stronger. When you start off it's not always easy to know how big you'll get and what security measures you will need. People think it's just a few button clicks for security. You have to code all this crap. Their Federatated single-login feature was probably a bitch to integrate.

https://domainnamestat.com/statistics/registrar/Epik_Inc_-IANA_ID-617

That's alarming because it's possible they sent delete notices to ICANN for those domains. I've checked my own domains. None show as PendingDelete.

I would think ICANN and the registries would work with Epik to fix any mass domain theft or deletion. It's not like they can't do that.

I doubt Rob is "hiding". My guess is that he has hands full. Is probably on tilt a bit over this too. I know exactly what he is going through. It's not a comfortable moment. He has people posting from Epik. And I am sure he wants to wait till he has everything secure and all the information possible before making statements. He can't come here and be like "we're working on it, we're not sure, we don't think so" because he would just get attacked and we'd see more panic.

The situation imho can take 7-15 days to absolutely fix. And you don't waste time on a forum. You work as fast as you can because your business is at stake.

Overreacting? To what appears to be one of the most complete data breaches?

There has been much worse breaches. Example is Equifax. Again, no one is reporting lost domains. Your credit card data being exposed isn't abnormal. By now everyone I know has at one point or another had their CC stolen. Figure out what's at Epik and report it lost if you so worried. For free your credit card company will replace it. You lose nothing but maybe a bit of hassle.

btw, stuff like this is why blockchain based domain registration make a lot of sense.

I really feel bad for the guy. I respect that he rubs people the wrong way with his religious beliefs. But show some tolerance. People are okay being nice to a guy wearing a dress more than wearing a cross.

imho, you don't allow any domains out unless manually reviewed and you disallow any domain deletions. I think domainers can hold off on sales until their portfolios are secure.

Guys, Epik allows crypto. Suggest if you don't use crypto yet, you begin now.

And to the comment that Epik is liable. You have to prove damages. Most of the legal requirements from a company in a breach are to inform the public. Typically they get into trouble by trying to keep it secret. And credit monitoring is mostly free to people now via their CC company or bank.

Epik will be fine imho. Some damage will happen but Rob is tough, he'll stick it out. I ain't moving a single domain.

 

[br1ll1on]

There was a EPP maintenance during the last hour. It is finished.

Should be all systems go. Engineers are working very hard to audit and secure all facets.

Updates will follow, including an official email this evening.

As for Juergen it seems being a drama queen. Please give him hugs.

I get not saying much to avoid giving away your hands to possible lurkers but something like "Engineers are working very hard to audit and secure all facets." earlier wouldn't hurt
Wishing you the possible best.

 

[Finest]

Just received this from Epik:

 

[YairDD]

Probably the end of Epik. No one is gonna trust the security of the site anymore

 

[TravisW]

Just received this from Epik:

This should have been the first email they sent. The lack of clear communication up until this point has done damage and caused a loss of trust.

 

[Grilled]

Just received this from Epik:

Show attachment 199692

I received the same email.

A+ to whomever wrote this email.

Probably the end of Epik. No one is gonna trust the security of the site anymore

I wouldn't be so sure...

Didn't @Rob Monster mention (in the journalist video conference) something about Epik receiving some $28million in funding recently? Is it unreasonable to think they aren't done raising capital as freedom of internet speech seems to be a hot topic these days, and epik just so happens to find themselves at the shadowy forefront of this societal battle.

Over the last few years epik has seemingly been able to expand their customer base, and AUM, despite sustaining a far right neo nazi loving wikipedia label. And as mentioned in Troy Hunt talks about Epik from 27:23 to 43:30, Troy accurately asserts that not everyone/everything connected to epik are far right neo nazi lovers, thus that wiki over-generalization is to be taken with a grain of salt, rather than a Hollywood headline.

Assuming that epik can make it through this legally unscathed, this security breach, if properly rectified (to include epiks allegedly broken/ignored bug bounty department) could fall into the category of what doesn't put epik out of business, only makes epik stronger. and more experienced.

It also seems, maybe only temporarily and/or secluded to their last urgent security breach email, that epik is toning down the marketing fluff / divisive pillow rhetoric, and directing that attention to their outdated tech/code, which may in turn inspire a new ground up rebuild. As it stands, epik is eerily similar to a professional pillow talker, and now with the recent bad press of epiks pillow quality being in question, maybe epik will finally direct their pillowing attention away from professional pillow talk, and transition back to innovating needed pillow technology.

 

[Jv1999]

Everyne was out for blood...

Last time Rob commented on a forum thread attacking him, he only self-slaughtered. I'm glad this time around, he kinda just laid back and made sure what actually mattered was taken care of -- security. Then he posted and it wasn't out of heat of passion or anything -- he simply gave an update. Good on Rob

I lean towards non-alt-right, so I don't agree with Epik harboring sites that have a dangerous call to action, like with Gab and that KKK forum that was banned from Google.

I also don't agree when Rob linked the NZ massacre on Twitter!

But I admit that Epik and Rob are probably one of the most top notch registrars in terms of like security and innovation.

Everyone mostly went off the rails and said all hell was breaking loose and everything was leaked in plaintext and AUTH CODES and whatnot... but the truth is -- no one has lost a domain. No one lost access to their accounts. No one's pw was compromised (i think)

Because Rob said they most likely hacked some legacy Epik system that's no longer holding valuable info.

There wasn't even a system downtime tbh. Everything ran smoothly as though the hack never happened.

It was basically a smear campaign. Thta's what I think... I hope more updates into the situation are released soon... but I mean I received both Epik emails, the last one saying none of my stuff was compromised.

 

[Grilled]

Epik will be fine imho. Some damage will happen but Rob is tough, he'll stick it out. I ain't moving a single domain.

The problem with being crazy is crazy people do crazy things. Case in point, I've been transferring domains to epik all week, despite the breach.

Simply because for the most part epik as a registrar works/has worked without much issue, and when an issue arises, there are generally less hoops to jump through to get an epik resolution than there are at other registrars. Not to mention epik's pricing is right most of the time, and thus, seemingly a practical solution for holding domains; even though they could do better in areas such as redemptions and warehousing practices. Oh, and apparently they could be better in the safeguarding/hashing of user data.

To me, the politics is similar to chick-fil-a drama. Chick-fil-a/epik was not their highest self, and mistakenly mixed politics with chicken. Then suddenly, it became "uncool" to eat at chick-fil-a despite them having the best chicken and legendary customer service. Seemingly, to an extent chick-fil-a, has taken steps to address their judgmental shortcomings, and get back to being in the chicken business. Either that, or they put something highly addictive in their sauces, because it's hard to stay away from an evil company that makes chicken that freakin delicious.

It is my hopes that epik steps away from the propaganda business and gets back into the chicken domain business. Perhaps epik will finally drop their infectious pillow talking VP, to better direct that reputation draining mouthpiece's salary, into a legendary bug bounty program or to hire a more capable engineer(s).

I'd also like to point out that epik's single greatest loss (possibly an even greater loss than the data) was likely the resignation of @Slanted. No matter how good the ship, or how well dressed the captain appears, never underestimate the value of a hard working first mate. It seems @Slanted was the glue that held epik together during their greatest company growth period, and since his departure epik has seemingly been more about curating their pillow talking process (perhaps a strategic capital raising technique?), rather than further developing their inherited intrust code or expanding agnostic business relationships. eg wasting time/energy picking fights/destroying relationships with dan, paypal, godaddy, escrow, etc. All communication mistakes that no doubt would have been handled infinitely better with a competent executive such as @Slanted close to the helm.

 

[Truespin Domains]

I fundamentally disagree with Rob on almost all his personal views and doubt we'd get on, but I am with him on his protection of free speech and people's right to be provocative - provided they are not inciting crime. I also sense he would defend these rights for all groups, not just the ones he supports.

I also think Epik has tried to move the domain industry forward. I hope they survive.