IT.COM

alert Epik Had A Major Breach

Spaceship Spaceship
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Sad to learn of the data breach at epik.
I hope they come out of this situation better and stronger.

Epik is a Domainer friendly brand.
An Innovative company.
Good customer service.
Best registrar for those intending to get started with domaining.
Attractive domain registration price (.com, .VC, .co, etc).
Good program/resources for would-be domainers (domain graduate, domain loans, etc)

I sincerely hope these good qualities of epik don't get lost with the breach.

However, I know this will terribly hurt the epik brand (already has).

As an epik customer, I am sad my private data is out there (2 email addresses pwned).

I am also sad this would probably hurt sales of my domains registered at epik.

Maybe they should have done better at protecting customers data...

But I don't entirely blame epik. They were up against bigger and tougher...

I wish there is a registrar having all the good qualities of epik, and without the politics and the controversies... :|
 
0
•••
Some of you really need to blink three times if you're posting under duress, wow.
 
1
•••
That's pretty ironic coming from someone who attacked me for saying some mean things about a company that lied to their customers for a decade about how secure their stuff was.

NamePros members are usually very welcoming to new members, although when you jump in in the middle of a thread like this you might not see the friendly side of things.

At some level a lot of domainers consider Rob to be a friend for the simple fact that in the past he has gone out of his way to personally help them with their domain names and as such I don't think that there are many people here that believe that Rob intentionally has tried to deceive them.

In a way Rob has been a victim of his own high ambitions which caused him to use some sub standard means to expand his company and to make it more popular.

Although Rob has somehow been involved with some AltRight groups for the sake of protecting thier right of Free Speech, but he has also been very tolerant and accommodating to many others who in some cases have had opposing views.

As a Human Rights and Environmental intellectual and activist I myself have been a pain in the neck for Rob in many occasions, but that didn't stop him from helping me with some of my domains that had expired by renewing them and letting me pay for them a few months later which I did.

There is a bond amongst domainers here that transcends politics, religion, race, and national origins and so it should be understandable that a lot of domainers think of Rob as a friend and are protective of him. I assume that they do the same thing for any other member here that might get in trouble.

Aside from the lapses in judgment concerning security, but Rob has always tried his best to stand for Free Speech and some of us here made sure that he kept on the right track. Perhaps it was protecting everyone's Freedom of Speech that has gotten him in trouble now.

https://www.namepros.com/threads/do...se-whose-opinion-is-of-no-consequence.1202601


IMO
 
Last edited:
17
•••
I want to make it very clear at this point that we will not be permitting personal attacks against researchers. Whatever you may think of Epik, there was an immense degree of irresponsibility here, and it makes no sense for us to grant any degree of tolerance to personal attacks against the people trying to analyze the data.

They are doing our industry a favor by investing their time into enumerating a massive dataset. It's hard to relay just how much text fits in 150 GB. It would be different if it were mostly photos or videos, but text takes up far less space. If we were to combine all of the text on NamePros, it would barely put a dent in 150 GB.
 
27
•••
As seen earlier in the case of Le Monde's Epik Fail report this community has the power to correct factual errors in the press about this topic, so if you've seen any factual errors in the Whashington Post story just show me where the factual error is so I can make them issue a correction.

(PS: All this is done without harassing or doxxing any reporter)
Thanks for the offer, though I don't have time to be critiquing (editing) articles in the Post or anywhere else to be honest. I don't sleep much as it is. ;)

As Tony said:
Trust me, the article should be rewritten 100%.


I think domain investors knew what their money was supporting, and can't pretend they didn't.
I don't agree at all. I've been paying for my domains. Not supporting anything else. I have largely steered clear of reading the copious amounts of political stuff on these boards as I didn't want to waste my time on it. I know a lot of Americans think they're the only country on earth (and forget that US politics doesn't mean a whole lot to us foreigners), but for many of us, we're here as domainers, not as political commentators.
 
4
•••
Could you summarize some of the things you already discovered and/or confirmed?
Sure. I don't remember every interesting thing I've taken a peak at, but I have talked about most of it on my Twitter. Some of my Tweets were already embedded above, but I'll go over everything again.

  • The Epik API database includes tables with backordered domains, both pending and delivered, dating back to 2010
  • The PowerDNS database includes tables with domains, resource records, and historical resource records for every zone that was ever hosted at Epik's nameservers.
  • There are two MyDNS databases that seem to contain similar data to the PowerDNS database, but for InTrust Domains before Epik acquired them, and perhaps Epik's shared hosting service respectively. (UNCONFIRMED)
  • The Epik API database includes a table with every domain modification operation that was performed through Epik's control panel. This includes every uncloaked, real whois entry Epik ever had for every domain that was ever registered with them. No Anonomyze here. This data dates back to 2011
  • In the same API database there is also a table that appears to include logs and responses for commands Epik was sending to the registry's EPP Proxy. I don't know how much of this there is or what's in it.
  • There is a mail redirection database that appears to contain every email address that was in Epik's mail forwarding system. I believe this data is from the (free?) basic email forwarding service, and includes domains, alias addresses, and destination addresses. Catch-all forwarding too.
  • Epik's Anonymize dot com service offered a paid "anonymous" email service. The mailbox table includes mailbox addresses, usernames, and passwords in plaintext. Information about which mailboxes are owned by which customers isn't stored in one table, but it is very easy to associate a mailbox with the invoice that payed for it, which includes customer's name, billing email, physical address, partial credit card numbers, CVV codes and more. Basically, it wasn't anonymous at all.
  • There is a table that contains domains, usernames, and passwords for Epik shared hosting accounts. I speculated that this was how the hacker logged in and defaced the Texas GOP's website. I confirmed that there was an entry in that table for texasgop dot org
  • There is a table that appears to include every domain that was ever in the cart system on Epik's website. People on Twitter speculated that they were storing this information for front-running purposes, but I'm skeptical of that for a few reasons.
  • I found a table that included mailer logs for all of the registrar related emails that Epik sent out, including domain expiration notifications. The data wasn't for all time or anything, I don't remember what the start and end dates were, but it was mostly in 2020. Oddly, one of the columns in this table indicated that Epik has been Bccing ALL of these emails to an account on a seemingly random domain that is operated by one of their customers. I looked up the domain's invoice and it was paid for by a customer in Russia. I am willing to provide more info about this domain if it's allowed here.
  • There is a table with all of the invoices for Epik's registrar. I haven't investigated this table very much, only used it to look up who was paying for a few domains. I know it includes at least domains, customer names, billing emails, physical addresses, and payment information of some description. I used this table to look up the information mentioned above.
  • There is another email related table. I believe this table was used for Epik's paid email hosting for domains that were registered with them. The table includes mailbox names, usernames, passwords, alias addresses, and destination addresses.
  • There is a table with redirect stats for domains that were using the (free?) URL forwarding service. It includes the redirected host, target URL, and click counts.
  • There is a table with log data from Epik's marketplace website. I didn't investigate it thuroughly, but at the very least it seems to contain records of all search requests that were submitted to the marketplace.
  • Epik's shared hosting service appears to have had 6 servers, 4 of them used the same username and password for the API that the main website used to communicate with them. The two that used different credentials included one that used a different username only, and one that used a different password only.
  • There's a table where they logged a bunch of registrar actions during a period from the end of 2014 to some time in 2015. This table includes tons of domain availability checks among other stuff.
  • There is a supposed "domain info cache" table that doesn't contain a massive amount of data, but does contain a large number of scraped whois records from domains that weren't registered at Epik. I suspect this is where at least some of the emails of non-Epik customers which haveibeenpwned users were so surprised about came from.
  • I don't think I posted this on Twitter, but I remember finding a table that appeared to contain fairly detailed logs of every request that was sent to Epik's parking service. I can look this up again if anyone is interested.

That's everything I can think of. If anyone has any further questions about the stuff above or wants me to look for something specific, I'll be keeping an eye on the thread. My messages are also open.

(edited: fixed my bulletpoints)
 
Last edited:
32
•••
To add onto what @FiniteCrystal found, as I've been focusing on data that could be a direct security risk to NamePros and its members:
  • Epik seems to have a had a habit of storing unstructured, serialized PHP objects throughout the database that contain a wealth of problematic info, including security questions/answers and complete, uncensored credit card info.
  • There's an indication that a lot of passwords (or hashes) were removed by the attacker prior to publishing the data. This is concerning, as that data may be released by the attacker later.
  • Failed login attempts appear to have been stored with plaintext passwords included.
 
22
•••
There is a bond amongst domainers here that transcends politics, religion, race, and national origins and so it should be understandable that a lot of domainers think of Rob as a friend and are protective of him. I assume that they do the same thing for any other member here that might get in trouble.
I understand and respect that, but when you're a member of a marginalized community that is often targeted by the groups that Rob is willing to stick up for and serve even when nobody else will, it's impossible to set politics aside. It's impossible to be "apolitical" when the validity of your humanity is a political issue.
 
6
•••
I found a table that included mailer logs for all of the registrar related emails that Epik sent out, including domain expiration notifications. The data wasn't for all time or anything, I don't remember what the start and end dates were, but it was mostly in 2020. Oddly, one of the columns in this table indicated that Epik has been Bccing ALL of these emails to an account on a seemingly random domain that is operated by one of their customers. I looked up the domain's invoice and it was paid for by a customer in Russia. I am willing to provide more info about this domain if it's allowed here.

Well that's certainly an interesting development.
 
6
•••
You want to be objective? Epik was storing tons of data that they probably shouldn't have stored at all, in plain text. That's a fact. Does anyone have any interesting questions as to what that data includes? I'd be happy to take a look and report back.

I bet there is a lot if interest in whether aftermarket sale prices of domains are findable there.
 
3
•••
  • Epik seems to have a had a habit of storing unstructured, serialized PHP objects throughout the database that contain a wealth of problematic info, including security questions/answers and complete, uncensored credit card info.
  • There's an indication that a lot of passwords (or hashes) were removed by the attacker prior to publishing the data. This is concerning, as that data may be released by the attacker later.
  • Failed login attempts appear to have been stored with plaintext passwords included

I am purely guessing here, but based on my time using Epik and required steps, I think the security questions/ answers were part of the previous owner (before Rob changed the name).

My hope is the hacker is not releasing that info so as not to call a lot of digitally savvy people down on them...lots of coding talent concentrated in the domain world. (I am not one that has such skills).

Just wanted to say I appreciate your input in this thread...those with names registered at Epik need accurate information and unbiased examination.
 
Last edited:
3
•••
Failed login attempts appear to have been stored with plaintext passwords included.
I forgot about that. As I Tweeted earlier, I can confirm that all failed login attempts dating back to 2011 were stored with email addresses and passwords in plaintext. This is very, very stupid. So incredibly stupid I can't imagine what sort of mental state the webmaster must have been in when they opted to do such a thing.

Oh, and thanks for sticking up for me, @Paul. I'm glad my efforts here are appreciated by the site's staff.
 
Last edited:
11
•••
I understand and respect that, but when you're a member of a marginalized community that is often targeted by the groups that Rob is willing to stick up for and serve even when nobody else will, it's impossible to set politics aside. It's impossible to be "apolitical" when the validity of your humanity is a political issue.


I understand your point of view,

But the problem is that most people are only critical of those that they consider to be on the opposite side of the political and social spectrum and in most cases choose to completely ignore the shortcomings from the side that they are aligned with themselves.

Criticism has to be 360 degrees in order to be valid.

IMO
 
1
•••
I forgot about that. As I Tweeted earlier, I can confirm that all failed login attempts dating back to 2011 were stored with email addresses and passwords in plaintext. This is very, very stupid. So incredibly stupid I can't imagine what sort of mental state the webmaster must have been in when they opted to do such a thing.

It was probably an attempt to crack down on attacks. While storing all the attempts in the clear for eternity certainly wasn't the correct way to go about that, it could at least provide some insight into the credential stuffing attacks that the industry has been facing recently.

Oh, and thanks for sticking up for me, @Paul. I'm glad my efforts here are appreciated by the site's staff.

We try to do our best to maintain a neutral stance, although that's difficult to do when a company as divisive as Epik is in the spotlight. We certainly don't allow personal attacks, though; condescending, exclusionary rhetoric has no place on NamePros, and we expect our members to welcome professionals from other industries, especially when they have insight to offer.

But the problem is that most people are only critical of those that they consider to be on the opposite side of the political and social spectrum and in most cases choose to completely ignore the shortcomings from the side that they are aligned with themselves.

Indeed, and the people who know better tend to be less vocal, so we have threads that devolve into flame wars.

If you've been watching from the sidelines to avoid the controversy, now would be a great time to chime in and drown out the emotional outbursts.
 
9
•••
Sure. I don't remember every interesting thing I've taken a peak at, but I have talked about most of it on my Twitter. Some of my Tweets were already embedded above, but I'll go over everything again.

[...]

Thank you for providing this summary of findings so far @FiniteCrystal
 
3
•••
I bet there is a lot if interest in whether aftermarket sale prices of domains are findable there.
A lot of the data regarding aftermarket domains is scattered around and difficult to parse, but I'd wager that a lot of it is. There are a lot of tables that refer to aftermarket domain sales, and many of them have amount or price columns. If anyone has more specific questions about these tables I'd be happy to look into them.
 
5
•••
Sure. I don't remember every interesting thing I've taken a peak at, but I have talked about most of it on my Twitter. Some of my Tweets were already embedded above, but I'll go over everything again.

  • The Epik API database includes tables with backordered domains, both pending and delivered, dating back to 2010
  • The PowerDNS database includes tables with domains, resource records, and historical resource records for every zone that was ever hosted at Epik's nameservers.
  • There are two MyDNS databases that seem to contain similar data to the PowerDNS database, but for InTrust Domains before Epik acquired them, and perhaps Epik's shared hosting service respectively. (UNCONFIRMED)
  • The Epik API database includes a table with every domain modification operation that was performed through Epik's control panel. This includes every uncloaked, real whois entry Epik ever had for every domain that was ever registered with them. No Anonomyze here. This data dates back to 2011
  • In the same API database there is also a table that appears to include logs and responses for commands Epik was sending to the registry's EPP Proxy. I don't know how much of this there is or what's in it.
  • There is a mail redirection database that appears to contain every email address that was in Epik's mail forwarding system. I believe this data is from the (free?) basic email forwarding service, and includes domains, alias addresses, and destination addresses. Catch-all forwarding too.
  • Epik's Anonymize dot com service offered a paid "anonymous" email service. The mailbox table includes mailbox addresses, usernames, and passwords in plaintext. Information about which mailboxes are owned by which customers isn't stored in one table, but it is very easy to associate a mailbox with the invoice that payed for it, which includes customer's name, billing email, physical address, partial credit card numbers, CVV codes and more. Basically, it wasn't anonymous at all.
  • There is a table that contains domains, usernames, and passwords for Epik shared hosting accounts. I speculated that this was how the hacker logged in and defaced the Texas GOP's website. I confirmed that there was an entry in that table for texasgop dot org
  • There is a table that appears to include every domain that was ever in the cart system on Epik's website. People on Twitter speculated that they were storing this information for front-running purposes, but I'm skeptical of that for a few reasons.
  • I found a table that included mailer logs for all of the registrar related emails that Epik sent out, including domain expiration notifications. The data wasn't for all time or anything, I don't remember what the start and end dates were, but it was mostly in 2020. Oddly, one of the columns in this table indicated that Epik has been Bccing ALL of these emails to an account on a seemingly random domain that is operated by one of their customers. I looked up the domain's invoice and it was paid for by a customer in Russia. I am willing to provide more info about this domain if it's allowed here.
  • There is a table with all of the invoices for Epik's registrar. I haven't investigated this table very much, only used it to look up who was paying for a few domains. I know it includes at least domains, customer names, billing emails, physical addresses, and payment information of some description. I used this table to look up the information mentioned above.
  • There is another email related table. I believe this table was used for Epik's paid email hosting for domains that were registered with them. The table includes mailbox names, usernames, passwords, alias addresses, and destination addresses.
  • There is a table with redirect stats for domains that were using the (free?) URL forwarding service. It includes the redirected host, target URL, and click counts.
  • There is a table with log data from Epik's marketplace website. I didn't investigate it thuroughly, but at the very least it seems to contain records of all search requests that were submitted to the marketplace.
  • Epik's shared hosting service appears to have had 6 servers, 4 of them used the same username and password for the API that the main website used to communicate with them. The two that used different credentials included one that used a different username only, and one that used a different password only.
  • There's a table where they logged a bunch of registrar actions during a period from the end of 2014 to some time in 2015. This table includes tons of domain availability checks among other stuff.
  • There is a supposed "domain info cache" table that doesn't contain a massive amount of data, but does contain a large number of scraped whois records from domains that weren't registered at Epik. I suspect this is where at least some of the emails of non-Epik customers which haveibeenpwned users were so surprised about came from.
  • I don't think I posted this on Twitter, but I remember finding a table that appeared to contain fairly detailed logs of every request that was sent to Epik's parking service. I can look this up again if anyone is interested.

That's everything I can think of. If anyone has any further questions about the stuff above or wants me to look for something specific, I'll be keeping an eye on the thread. My messages are also open.

(edited: fixed my bulletpoints)
Thanks for the contribution. It's eye-watering for sure. And makes me glad that I have used Epik only as a registrar to date (not for hosting, email-fowarding, marketplace, or anything else).
 
2
•••
@FiniteCrystal @Paul
I have ultra specific question: If I supply you with my IP, can u return the 'password list' of my failed login attempts?
 
2
•••
It was probably an attempt to crack down on attacks. While storing all the attempts in the clear for eternity certainly wasn't the correct way to go about that, it could at least provide some insight into the credential stuffing attacks that the industry has been facing recently.
I can understand that, but I don't understand why they opted to store passwords in plaintext, or at all for that matter. That in addition to the fact that they've been doing it since 2011 and never cleared the table suggests gross negligence in my opinion. They easily could have implemented something like fail2ban that blocks an IP address after a number of failed logins without storing the passwords, and cleared the email addresses of these failed logins on a regular basis to avoid holding on to email addresses that weren't even valid. Notifying customers of a failed login is cool, keeping the email and password of that login FOREVER is not so cool.
 
10
•••
My opinion on this is this - It serves all you domainers who wrongly trusted Epik, RIGHT.
Well, it's an opinion, but not a nice one. Sure, I trusted them - because they're a registrar. Just like the dozens of other registrars I have used. Nothing more, nothing less. But apparently, I deserve to have my data shared with the world because I used this particular registrar to conduct my business?...
 
5
•••
@FiniteCrystal @Paul
I have ultra specific question: If I supply you with my IP, can u return the 'password list' of my failed login attempts?
Yes, but only if your IP never changed. I can also look up an email address. I can do that, that doesn't necessarily mean I will hand over a bunch of potential passwords for other sites.
 
1
•••
Yes, but only if your IP never changed. I can also look up an email address. I can do that, that doesn't necessarily mean I will hand over a bunch of potential passwords for other sites.

I would not do this on a forum without knowing anything about the identity of the forum member asking for that specific info.
 
3
•••
They easily could have implemented something like fail2ban that blocks an IP address after a number of failed logins without storing the passwords

Speaking for NamePros, a much smaller target, fail2ban wouldn't work for us. These days, most of the credential stuffing attacks we see are from large numbers of residential connections, presumably compromised consumer devices. Even a small registrar likely would've seen such attacks years before us.

I don't understand why they opted to store passwords in plaintext, or at all for that matter. That in addition to the fact that they've been doing it since 2011 and never cleared the table suggests gross negligence in my opinion.

Probably, though I've already expressed my frustration and befuddlement at these practices elsewhere in this thread--maybe 500 or so posts ago.
 
4
•••
I have ultra specific question: If I supply you with my IP, can u return the 'password list' of my failed login attempts?

I'd prefer if we don't get into the habit of encouraging such requests here, as it seems like it could lead to abuse. Furthermore, IP addresses tend to change fairly often, so this wouldn't work too well for most people.

Ultimately, the data is in text form. You could search it yourself if you so desired.
 
Last edited:
3
•••
I'd prefer if we don't get into the habit of encouraging such requests here, as it seems like it could lead to abuse.
This is the exact reason I won't take requests like that, just confirming that it is possible.
 
2
•••
Back