IT.COM

alert Epik Had A Major Breach

NameSilo
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
You can transfer back to losing registrar anytime, within 60 days or is it 45?. Correct me if i am wrong. Thanks for the reassuring words rob, looking forward to official email this evening, and some facts. Did you hire joey to razz that lady?
Personally, I'm going to de-list my ~10 domains that are transfer-locked at Epik until I have the ability to move them out. Sadly I transferred them there recently to save a buck.
 
1
•••
I've been in Rob's shoes before. My user table on a few hundred thousand members was breached and downloaded. A full password reset might be necessary but you should only do that AFTER you are 100% sure of what happened and have secured the site. Worse thing to do is PW resets then find out that you are breached again. As long as the PW's are salted and of certain difficulty they will mostly be hard to break. As a standard everyone should use 12 characters min (upper, lower, digits, and special chars).

I'm gonna assume they are going nuts securing everything and making the changes needed. Has anyone yet lost a domain? If not, then don't panic. This imho will make Epik stronger. When you start off it's not always easy to know how big you'll get and what security measures you will need. People think it's just a few button clicks for security. You have to code all this crap. Their Federatated single-login feature was probably a bitch to integrate.

https://domainnamestat.com/statistics/registrar/Epik_Inc_-IANA_ID-617

That's alarming because it's possible they sent delete notices to ICANN for those domains. I've checked my own domains. None show as PendingDelete.

I would think ICANN and the registries would work with Epik to fix any mass domain theft or deletion. It's not like they can't do that.

I doubt Rob is "hiding". My guess is that he has hands full. Is probably on tilt a bit over this too. I know exactly what he is going through. It's not a comfortable moment. He has people posting from Epik. And I am sure he wants to wait till he has everything secure and all the information possible before making statements. He can't come here and be like "we're working on it, we're not sure, we don't think so" because he would just get attacked and we'd see more panic.

The situation imho can take 7-15 days to absolutely fix. And you don't waste time on a forum. You work as fast as you can because your business is at stake.

Overreacting? To what appears to be one of the most complete data breaches?

There has been much worse breaches. Example is Equifax. Again, no one is reporting lost domains. Your credit card data being exposed isn't abnormal. By now everyone I know has at one point or another had their CC stolen. Figure out what's at Epik and report it lost if you so worried. For free your credit card company will replace it. You lose nothing but maybe a bit of hassle.

btw, stuff like this is why blockchain based domain registration make a lot of sense.

I really feel bad for the guy. I respect that he rubs people the wrong way with his religious beliefs. But show some tolerance. People are okay being nice to a guy wearing a dress more than wearing a cross.

imho, you don't allow any domains out unless manually reviewed and you disallow any domain deletions. I think domainers can hold off on sales until their portfolios are secure.

Guys, Epik allows crypto. Suggest if you don't use crypto yet, you begin now.

And to the comment that Epik is liable. You have to prove damages. Most of the legal requirements from a company in a breach are to inform the public. Typically they get into trouble by trying to keep it secret. And credit monitoring is mostly free to people now via their CC company or bank.

Epik will be fine imho. Some damage will happen but Rob is tough, he'll stick it out. I ain't moving a single domain.
 
17
•••
There was a EPP maintenance during the last hour. It is finished.

Should be all systems go. Engineers are working very hard to audit and secure all facets.

Updates will follow, including an official email this evening.

As for Juergen it seems being a drama queen. Please give him hugs.
I get not saying much to avoid giving away your hands to possible lurkers but something like "Engineers are working very hard to audit and secure all facets." earlier wouldn't hurt
Wishing you the possible best.
 
3
•••
Just received this from Epik:

Screen Shot 2021-09-19 at 8.29.12 AM.png
 
7
•••
Probably the end of Epik. No one is gonna trust the security of the site anymore
 
2
•••
Just received this from Epik:

This should have been the first email they sent. The lack of clear communication up until this point has done damage and caused a loss of trust.
 
Last edited:
14
•••
Just received this from Epik:

Show attachment 199692

I received the same email.

A+ to whomever wrote this email.

Probably the end of Epik. No one is gonna trust the security of the site anymore

I wouldn't be so sure...

Didn't @Rob Monster mention (in the journalist video conference) something about Epik receiving some $28million in funding recently? Is it unreasonable to think they aren't done raising capital as freedom of internet speech seems to be a hot topic these days, and epik just so happens to find themselves at the shadowy forefront of this societal battle.

Over the last few years epik has seemingly been able to expand their customer base, and AUM, despite sustaining a far right neo nazi loving wikipedia label. And as mentioned in Troy Hunt talks about Epik from 27:23 to 43:30, Troy accurately asserts that not everyone/everything connected to epik are far right neo nazi lovers, thus that wiki over-generalization is to be taken with a grain of salt, rather than a Hollywood headline.

Assuming that epik can make it through this legally unscathed, this security breach, if properly rectified (to include epiks allegedly broken/ignored bug bounty department) could fall into the category of what doesn't put epik out of business, only makes epik stronger. and more experienced.

It also seems, maybe only temporarily and/or secluded to their last urgent security breach email, that epik is toning down the marketing fluff / divisive pillow rhetoric, and directing that attention to their outdated tech/code, which may in turn inspire a new ground up rebuild. As it stands, epik is eerily similar to a professional pillow talker, and now with the recent bad press of epiks pillow quality being in question, maybe epik will finally direct their pillowing attention away from professional pillow talk, and transition back to innovating needed pillow technology.
 
Last edited:
4
•••
Everyne was out for blood...

Last time Rob commented on a forum thread attacking him, he only self-slaughtered. I'm glad this time around, he kinda just laid back and made sure what actually mattered was taken care of -- security. Then he posted and it wasn't out of heat of passion or anything -- he simply gave an update. Good on Rob


I lean towards non-alt-right, so I don't agree with Epik harboring sites that have a dangerous call to action, like with Gab and that KKK forum that was banned from Google.

I also don't agree when Rob linked the NZ massacre on Twitter!

But I admit that Epik and Rob are probably one of the most top notch registrars in terms of like security and innovation.

Everyone mostly went off the rails and said all hell was breaking loose and everything was leaked in plaintext and AUTH CODES and whatnot... but the truth is -- no one has lost a domain. No one lost access to their accounts. No one's pw was compromised (i think)

Because Rob said they most likely hacked some legacy Epik system that's no longer holding valuable info.

There wasn't even a system downtime tbh. Everything ran smoothly as though the hack never happened.

It was basically a smear campaign. Thta's what I think... I hope more updates into the situation are released soon... but I mean I received both Epik emails, the last one saying none of my stuff was compromised.
 
5
•••
Epik will be fine imho. Some damage will happen but Rob is tough, he'll stick it out. I ain't moving a single domain.

The problem with being crazy is crazy people do crazy things. Case in point, I've been transferring domains to epik all week, despite the breach.

Simply because for the most part epik as a registrar works/has worked without much issue, and when an issue arises, there are generally less hoops to jump through to get an epik resolution than there are at other registrars. Not to mention epik's pricing is right most of the time, and thus, seemingly a practical solution for holding domains; even though they could do better in areas such as redemptions and warehousing practices. Oh, and apparently they could be better in the safeguarding/hashing of user data.

To me, the politics is similar to chick-fil-a drama. Chick-fil-a/epik was not their highest self, and mistakenly mixed politics with chicken. Then suddenly, it became "uncool" to eat at chick-fil-a despite them having the best chicken and legendary customer service. Seemingly, to an extent chick-fil-a, has taken steps to address their judgmental shortcomings, and get back to being in the chicken business. Either that, or they put something highly addictive in their sauces, because it's hard to stay away from an evil company that makes chicken that freakin delicious.

It is my hopes that epik steps away from the propaganda business and gets back into the chicken domain business. Perhaps epik will finally drop their infectious pillow talking VP, to better direct that reputation draining mouthpiece's salary, into a legendary bug bounty program or to hire a more capable engineer(s).

I'd also like to point out that epik's single greatest loss (possibly an even greater loss than the data) was likely the resignation of @Slanted. No matter how good the ship, or how well dressed the captain appears, never underestimate the value of a hard working first mate. It seems @Slanted was the glue that held epik together during their greatest company growth period, and since his departure epik has seemingly been more about curating their pillow talking process (perhaps a strategic capital raising technique?), rather than further developing their inherited intrust code or expanding agnostic business relationships. eg wasting time/energy picking fights/destroying relationships with dan, paypal, godaddy, escrow, etc. All communication mistakes that no doubt would have been handled infinitely better with a competent executive such as @Slanted close to the helm.
 
Last edited:
7
•••
I fundamentally disagree with Rob on almost all his personal views and doubt we'd get on, but I am with him on his protection of free speech and people's right to be provocative - provided they are not inciting crime. I also sense he would defend these rights for all groups, not just the ones he supports.

I also think Epik has tried to move the domain industry forward. I hope they survive.
 
Last edited:
6
•••
Has <@Braden Pollock> or any other epik board member / executive / investor made any comment on this instance yet?

<< fictitiously and jokingly tagging @VladimerPutin @MikeLindell @CarrotTop >>
 
Last edited:
1
•••
I only have a few names with Epik since no PayPal option on payments. They have some good ideas and I like various things from their approach. Hope this breach would not affect dangerously user data. Quickly removed my CC details and changed password, but never know...

I wish they take care of these intruders and the below statement would be true

IMG_20210919_085950.jpg
 
2
•••
You can transfer back to losing registrar anytime, within 60 days or is it 45?. Correct me if i am wrong.
To any registrar and anytime (com/net). Within 60 days - if and only if the current registrar so allows. In current situation, Epik should make a decision NOT to prevent such transfers imo... There is no winning love by force.
 
Last edited:
4
•••
Whatever, #IStandWithEpik
#EpikPrevails. #EpikIsEpic.
#ForeverEpik ✊ #Epik🏆

I firmly believe the legendary Epik team will handle the technical issues. Let's show our support to our #epik on social medias.

Please let me know if there's any other positive # about Epik which is already trending.

Forever Epik. ✊
 
Last edited:
4
•••
Fck epik and Mr monster very slow , lack of communication and so on get God to fix your problems or should that have already happened none believer here signing off. Jump on board Samer .
 
1
•••
One question, cards that used in past but was not stored was leaked ?
Cards that were stored in past but deleted after some time were leaked ?
Does leak include only cards that was stored at the moment to the hack ?

Is there any information about when leak started ?
Is leak uploaded somewhere in public ?
I hope that everything will be ok.
Regards
 
3
•••
Thank you to OP @Silentptnr and users like @Jurgen Wolf for staying on this, and actually getting this company to step up and write an email to their customers on a Saturday night.

It only took 30 pages and customers begging.
 
11
•••
I received the securiry warning from Epik yesterday.
What I don't understand is that Epik only advises you to do, is to inform your creditcard company about this.

What Epik forgets to advise:
CHANGE YOUR EPIK PASSWORD IMMEDIATELY!

If hackers have access to your username and password, thats the first thing you need to change.
That Epik forgets to advise you to change your pasword is an epic fail in communication.


Just read this. Looks like Epik may have been hacked and sensitive data compromised...
 
Last edited:
4
•••
I firmly believe the legendary Epik team will handle the technical issues.

Legendary MARKETING team, yes.

Technical team looks straight doo-doo.
 
1
•••
To any registrar and anytime (com/net). Within 60 days - if and only if the current registrar so allows. In current situation, Epik should make a decision NOT to prevent such transfers imo... There is no winning love by force.
I believe 60days rules was imposed by ICANN, and if a registrar lets you move yours with that 60days they are breaking the rule
 
1
•••
Is leak uploaded somewhere in public ?
Yes, public torrent is available...
+ hackers have this entire and uncensored DB backup as of Feb'28/March'1.

Replace your CC and also don't store it in Epik account, change credentials and enable 2FA.
Hard minimum what you must do.
 
Last edited:
2
•••
Last edited:
5
•••
When you are buying/selling domain names, you are running a business and should not fall in love with a person or company.
Staying with a damaged company will limit your ability to sell to a bigger market as many sellers will stay away from them.
Also remember this hacking is not a random hacking but targeted hacking due to political views from the company.
The company has records of supporting many political groups in the past so there is no warranty that this is the only incident.
Don't put all your eggs in one basket and make sure you make a right/smart business decision.
If you are still in love with the man then you should settle that private matter in a bedroom.
Going against the odds will not prove anything.
 
Last edited:
14
•••
When you are buying/selling domain names, you are running a business and should not fall in love with a person or company.
Staying with a damaged company will limit your ability to sell to a bigger market as many seller will stay away from them.
Also remember this hacking is not a random hacking but targeted hacking due to political views from the company.
The company has records of supporting many political groups in the past so there is no warranty that this is the only incident.
Don't put all your eggs in one basket and make sure you make a right/smart business decision.
If you are still in love with the man then you should settle that private matter in a bedroom.
Going against the odds will not prove anything.
I will expand your (right) thoughts. The real target of those who did that is to eliminate the ''workers'' from the ''believers''. Anyone who stay, will be in the same political direction with the registrar. It simply means that they may potentially be their next target. I hope i am wrong.
 
Last edited:
3
•••
In other words, don't deal with toxic parties and be happy.
 
3
•••
Back