alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[oldtimer]

I run a SaaS and have various accreditations. Thing is, no one ever looks at your code. They look at your company's procedures and policies.

Equally, a lot of pen testing isn't worth the paper it's written on.

The reality is you never really know how well an organisation is safeguarding your data. Until they fail...

Blatant lapses in security protocols can be detected through audits by third parties.

Nevertheless how things have been done so far should not dictate how they need to be done going forward.

We need to come up with a fresh and new way of thinking when dealing with problems in the current environment.

IMO

 

[oldtimer]

It is all very high-minded and good to worry about things and say how ICANN should do this or that. It is only by getting involved that you will effect change. Attend some of the meetings, learn about ICANN and the various stakeholders and groups.

Regards...jmcc

As I already said, ICANN needs to take additional measures to protect the Registrants without me having to convince them of that.

Spent too much time arguing about this, I need to go get some fresh air before the day is over.

IMO

 

[Future Sensors]

As I already said, ICANN needs to take additional measures to protect the Registrants without me having to convince them of that.

Sorry to disappoint, but you really have to attend the ICANN meetings.

Do keep us informed.

 

[blockhead]

 

[DomainsMaven]

Thanks to Epik. I received alert on my credit report.

• Dark Web Alert
  
  Compromised Email Address
• Email Address
  
  [email protected]
• Breached Site
  
  epik.com
• Password
  
  Not Exposed
• Date found on dark web
  
  Sep 23, 2021

 

[Bravo Mod Team]

This appears to be someone unaffiliated with ICANN, which is why it's banned.

However, there is at least one account on NamePros that we can confirm is associated with ICANN, but they're currently inactive, so we're inclined to agree with you:

you really have to attend the ICANN meetings

 

[MasterOfMyDomains]

Why do I want to protect the Registrants,

Well because I am a Registrant too

Your comments have nothing to do with Epik. Your ruining this thread. Go start an icann thread

 

[bmugford]

As I already said, ICANN needs to take additional measures to protect the Registrants without me having to convince them of that.

Spent too much time arguing about this, I need to go get some fresh air before the day is over.

IMO

It is just not that feasible that ICANN audits thousands of registrars.

At some point you just need to put public trust in a company. Maybe it would be better for ICANN to drop the hammer on companies that abuse that public trust via their actions.

You make some examples, it is far less likely to happen again.

Regardless, let's try to keep this on topic. This event in unprecedented. This is Epik issue far more than an ICANN issue.

Brad

 

[Digital Universe]

Epik hack is front page news in the print edition of the Washington Post today: https://www.washingtonpost.com/todays_paper/updates/

A snippet from the article:

The Epik spokesperson called the hack “an egregious violation against our users” and said the breached data included up to 38,000 credit card numbers.

 

[Future Sensors]

A snippet from the article:

The Epik spokesperson called the hack “an egregious violation against our users” and said the breached data included up to 38,000 credit card numbers.

Epik reported CC info was obtained for "a small subset of users". The total number of users affected was 110,000. So this 38,000 amount is not really a small subset.

What personal information may have been obtained:
"Name, address, email address, username, password, phone and VAT number (if given),
transaction history, domain ownership, and for a small subset of users, credit card information."​

Data Breach Notification (HTML)
https://apps.web.maine.gov/online/aeviewer/ME/40/68401938-23c3-4279-8bc5-d4782e3cba56.shtml

Data Breach Notification (PDF)
https://apps.web.maine.gov/online/a...fd3-db44-4fd4-b8b8-e2b7285e13e9/document.html

 

[bmugford]

Epik reported CC info was obtained for "a small subset" of users. The total number of users affected was 110,000. So this 38,000 amount is not really a small subset.

What personal information may have been obtained:
"Name, address, email address, username, password, phone and VAT number (if given),
transaction history, domain ownership, and for a small subset of users, credit card information."​

Data Breach Notification (HTML)
https://apps.web.maine.gov/online/aeviewer/ME/40/68401938-23c3-4279-8bc5-d4782e3cba56.shtml

Data Breach Notification (PDF)
https://apps.web.maine.gov/online/a...fd3-db44-4fd4-b8b8-e2b7285e13e9/document.html

Yes, calling that a "small subset" is grossly misleading in my view.

Brad

 

[Future Sensors]

Yes, calling that a "small subset" is grossly misleading in my view.

That could be the subject of a separate investigation by the state of Maine.

 

[Future Sensors]

The Definitive Guide to U.S. State Data Breach Laws (PDF)

https://info.digitalguardian.com/rs...nitive-guide-to-us-state-data-breach-laws.pdf

 

[jmcc]

A snippet from the article:

The Epik spokesperson called the hack “an egregious violation against our users” and said the breached data included up to 38,000 credit card numbers.

That's a lot of credit card numbers in open circulation.

Regards...jmcc

 

[Derek Peterson]

That's a lot of credit card numbers in open circulation.

Regards...jmcc

Yes, but the real issue how and why did Epik have full credit card numbers, exp dates and codes stored on their servers?!?!?! That is not even legal. I hope Epik and Rob Monster get sued into oblivion.

 

[bmugford]

Yes, but the real issue how and why did Epik have full credit card numbers, exp dates and codes stored on their servers?!?!?! That is not even legal. I hope Epik and Rob Monster get sued into oblivion.

Epik is going to have to answer these questions from the credit card companies. Storing credit card information this way, especially CVV codes, is a major no-no when it comes to pci compliance.

Then downplaying it as a "small subset" of customers. We will see what legal and regulatory authorities might have to say about that as well.

Brad

 

[jmcc]

Yes, but the real issue how and why did Epik have full credit card numbers, exp dates and codes stored on their servers?!?!?! That is not even legal. I hope Epik and Rob Monster get sued into oblivion.

It is certainly going to be a problem. Not sure about the legality of the situation.

Regards...jmcc

 

[Derek Peterson]

Epik is going to have to answer these questions from the credit card companies. Storing credit card information this way, especially CVV codes, is a major no-no when it comes to pci compliance.

Then downplaying it as a "small subset" of customers. We will see what legal and regulatory authorities might have to say about that as well.

Brad

Probably going to have to answer to card holders as well. This is more than incompetence. This is intentional. Just read one story of a realtor getting fired in Florida because of Epik leak. Imagine the dissidents in oppressive nations that have been revealed because of this. I sincerely despise Rob Monster more than I can even express.

 

[Future Sensors]

especially CVV codes

https://blog.pcisecuritystandards.o...ed-for-card-on-file-or-recurring-transactions

 

[bmugford]

https://blog.pcisecuritystandards.o...ed-for-card-on-file-or-recurring-transactions

I would be surprised if these credit card companies did not pull their services.

This appears to be such an egregious violation of pci compliance rules.

PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.