FYI, I just saw the admin account with password 123. That doesn't appear to be an actual internal account. Doesn't seem to have admin perms set, was never a verified email account, and looks like someone simply joined as name "Epik Admin". I see no evidence it's an actual active administrator account with permissions. I also don't see the context for what system it is. It could just be a test admin on a test system. I make those with password of "password" sometimes.
And I do think Epik was wrong in some of its data storage. Passwords as plain text? IMHO there is never a reason to do that. On my own large site I basically did a data purge so good that if the site is hacked minimal damage will occur. I want to actually encrypt even IP's but it's a real hassle. Maybe one day. You can't really encrypt data like email and still maintain effectiveness because of things like a PW reset would have to search the DB. You'd still need a key locally that if found could unlock the entire DB anyways. So even with full encryption it's possible to get owned. Works with PW's only because it's data the server itself never needs to understand what it is. Just that the encrypted PW matches the entry from the member login. Not sure if what I am saying is obvious to people or over their heads. I been a sys admin 20 years. Never sure what level the people around me are at.
Ultimately, PW's in plaintext was unnecessary and bad.
Also note I know the VPN developer that sold it to Epik. I wouldn't be shocked if he's behind the hack. He has a history. But it's probably hacktivists that target Epik over politics.
You can normally tell by reviewing the data when it was grabbed and possibly even the location. Example is my own backups don't include all tables because more than a few are either empty or memory tables (likes sessions) which don't require a backup. A good admin can tell (yes, a good admin wouldn't store PWs in plain text either).
Why would they do that? If you're a customer and you lost confidence you can move. I really really doubt based on what I know about Rob that he'll just give up his hard work because of an embarrassment. This stuff happens to a lot of businesses. Rarely do CEO's resign or the business fail. Chipotle restaurant nearly killed dozens of people and they are still in business. So your CC was exposed, someone knows your address or your name, so freaking what? Everyone acts like they are living in a bubble and that they're doing something so secret that no one can know. Meanwhile the CIA and FBI can track you daily on your phone all they want. Jeez.
Perspective people. Registrar's #1 priority for me is for my domains not to get stolen. Raise your hand if this caused your domain to be lost.
Whois was public data for decades. Changed because of GDPR and the perceptions of privacy. Someone wants to get your identity, they will get it.
I can speak from experience that getting registrar booted over your LEGAL content is a real pain in the ass. Your site can go offline indefinitely simply because your Registrar has some policy about the morals of your content even if it's 100% legal. Most registrars have a huge ToS/AUP with language basically giving them the right to shut you down. It's inconvenient and there isn't a lot of large US based Registrars that you can trust to be censorship free. Epik happens to be one of them.
btw, I was using a secured email that was ONLY for Epik.
Experience has taught me that your security starts at your domains.
The reform is blockchain based domains. When browsers begin to include things like the .eth registry it will get interesting. We won't need centralized registrars anymore.
So you're complaining that public data they scraped has been leaked? You need to think on that a moment.
Epik isn't hosting any Nazi's. Anonymous aren't heros, heck they aren't anything because they don't exist. I can with a straight face make the claim that I am posting this as a representative of Anonymous. I been threatened so many times by "Anonymous" that it's a joke to me.
Definitely a tarnished reputation. Destroyed though? I am not so sure. I have seen worse situations where companies have recovered. Maybe wait and see what Epik does before calling them destroyed. Rob does have an opportunity to make amends, for changes, and new security. Basically imho he gets one chance to do the right thing. Also, Epik isn't targeted by "government agencies". I am sure if LE/FBI sends Rob a subpoena for information he is obligated to provide it and does so. Rob would be in a prison if he didn't, and he ain't, so...
Ever heard of the saying that there is no such thing as bad publicity?
What's their domain numbers from 2 years ago compared to today?
Unfortunately you can't undo a leak. The damage is done. Their priority now should be securing, altering policies, and then providing full disclosure on how this happened and what steps are being taken to prevent it from happening again. What do you think is going to "make anyone whole who suffered damages"? If you want some type of monetary reward you have to sue for damages and actually prove the damages. I don't see how that's going to happen when no domains were lost. Not saying this won't turn into a class action because lawyers love to find ways to sue. This might end up being costly for Rob.
Oh yeah, Cox got me and all I ended up getting was an apology letter even though because of their systems someone had harassed me for months and that my family did indeed suffer mental anguish over it. But Cox just said oops and moved on. I wasn't gonna pay a lawyer $50k to go after them.
How have they messed up your life? Holy mackerel isn't that over-stated a bit? Again, NO DOMAINS LOST.
That's such propaganda. When you run a business like Epik you don't really care who your customers are as long as they are legal and don't violate your terms. I'm sure if Democrats and Marxists wanted domains at Epik he would treat them the say way. That's actually why Rob is in trouble politically because he simply doesn't believe in censorship. How novel an idea that in America you get to say unpopular things. Do you guys forget that Trump got censored and banned basically at every popular social media site? You okay with that? And being the Swiss Bank of Domains imho isn't a bad analogy, the Swiss are neutral.
I do hope that Rob uses this as a teaching moment that he has to run his business with more care. Getting into personal fights even if someone else picks them means you will lose every time. You have to take the high road. Your skin has to be thick. Ignoring the crap is your best weapon. Run your business.
Cancel culture is such BS. Since when did the freedom of the internet become the ability to cancel speech you don't like? No one should be cheering this.
