alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Jurgen Wolf]

Free speech boomerang for Rob...

 

[Derek Peterson]

Free speech boomerang for Rob...

Rob doesn't agree with free speech. He has tried to get me banned here, on twitter and on gab. and now one of his shills is trying to get me banned here using fake multiple accounts. Rob is not a good guy and he has hurt a lot of people.

 

[NicTraders]

It would be better if you didn't tell me what to do and started caring about others, the 100,000 people who have had their lives destroyed by an arrogant, insane fake Christian man. I confronted Rob years ago about his lies and lack of concern for his users' privacy and now we have this and based on his arrogant and insane response thus far he doesn't care.

And btw, you haven't seen anything yet. I am going to punish Rob for this greatly and anyone foolish enough to defend him.

Wow, your animosity is remarkable. Especially considering that you said you were a Christian yourself in your first post in this thread from memory. Obviously, as a Christian, you would know all those verses about 'He who is without sin, cast the first stone', and so on. And yet it seems your sole purpose here is to share how you are going to take revenge on Rob.

 

[Derek Peterson]

I have come across registrars that force you to save a card just to open an account. I don't like it.

BUT the simple method for removing the card is just: add other payment method: add Paypal.
Then delete the saved card at the registrart because they now allow that because you have another payment method saved.
Then go into the Paypal account and cancel the recurring payments authorisation for that merchant - they now cannot get payments from you unless you specifically authorise them.

Just because you are "saving your credit" on a particular site does NOT mean that website is actually storing your credit card details. In almost all cases there is a secure API which connects that website with a payment gateway, like stripe, playpal or authorize.net. That is the issue, Rob/epik apparently actually stored the details on their own server.

 

[Windoms]

Epik reported CC info was obtained for "a small subset of users". The total number of users affected was 110,000. So this 38,000 amount is not really a small subset

Yes, calling that a "small subset" is grossly misleading in my view.

Brad

Question is how many total users does epik have.
Because 110.000 is a lot.
If 110.000 was the total users.
How many total cards were actually used on epik?
38.000?

Because Im sure many userd never made a single transaction, and others used other payment methods such as paypal from the time it was available.

Does any tech guy know how many accounts are actually on epik?

 

[Derek Peterson]

Wow, your animosity is remarkable. Especially considering that you said you were a Christian yourself in your first post in this thread from memory. Obviously, as a Christian, you would know all those verses about 'He who is without sin, cast the first stone', and so on. And yet it seems your sole purpose here is to share how you are going to take revenge on Rob.

I am a born again Christian and I sincerely care about and love others but part of loving innocent is hating evil ones that do such things. Rob and his friends are evil and they deserve to be broke in prison for what they have done. Just like a drunk driver who has had many warning should be in prison and all his assets taken and given to those he hurt.

 

[Windoms]

It would be better if you didn't tell me what to do and started caring about others, the 100,000 people who have had their lives destroyed by an arrogant, insane fake Christian man. I confronted Rob years ago about his lies and lack of concern for his users' privacy and now we have this and based on his arrogant and insane response thus far he doesn't care.

And btw, you haven't seen anything yet. I am going to punish Rob for this greatly and anyone foolish enough to defend him.

You can say 110,000 lives got destroyed, I will punish him by doing so and so (I can guess you were refering to your documentary).
But things like Im punishing anyone who supports him, not good. Many are supporting him because they genuinely think he's a good guy with good intentions.

So take it easy.

 

[bmugford]

In reality right now nobody really knows how all the other 600 or so retail Registrars are handling customer data and its storage.

Brad, I consider you to be a fair and professional member of the forum and as such wouldn't you agree that as we are holding Epik accountable for some of their actions (or lack thereof) but that it's equally important to do an Industry wide inspection of all the security and business practices of all the other Registrars and Registries at this time.

If the goal is to protect the customers (the Registrants) don't you think that there should be some kind of uniform standards and protocols when it comes to keeping customers data safe and don't you think that ICANN should immediately implement certain safeguards across the board to make sure that the situation with Epik doesn't occur again in the future with any other Registrar.

We need to hold Epik accountable but if the goal is customer (Registrant) safety and security then focusing all our attention on Epik and ignoring all the other 600 or so retail Registrars doesn't sound very smart.

Logic says that we should use this as a learning experience to fix the whole Industry.

IMO

No offense, but this is just deflection. It seems very similar to trying to turn Epik's data breach issue into an ICANN issue before that.

There are uniform standards. PCI compliance.

What Epik was doing is not compatible with those standards. Period.

Again -

PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.

If you have any information about other companies blatantly violating PCI compliance, I would be more than happy to discuss that, in another thread.

Brad

 

[Derek Peterson]

You can say 110,000 lives got destroyed, I will punish him by doing so and so (I can guess you were refering to your documentary).
But things like Im punishing anyone who supports him, not good. Many are supporting him because they genuinely think he's a good guy with good intentions.

So take it easy.

Yes and also a class action lawsuit that is being prepared and hopefully even criminal charges. Also, I honestly don't think anyone is supporting at this point that wasn't complicit or is getting paid to do so.

Rob has made many false claims, endangering the privacy and security of his users and threatened many people for many years for simply exposing these things to get us here. It is like some mafia guy who keeps killing people in drunk driving accidents and then threatens the family of the ones he killed and judges and lawyers to keep out of trouble. This isn't a stand alone incident and I don't even think it was incompetence.

 

[DaveX]

Received this email this morning.

​

Your password has been reset.

Dear ******************,



Due to the recent security breach at domain registrar Epik, we are taking the precaution to reset your password.



What has been done?

To ensure the integrity of your Escrow.com account we have triggered a password reset of your account to ensure that your account is not compromised by the data leak.

Go to Escrow.com (link disabled for this post)
Your security is our top priority as the world’s largest online escrow service. Please follow the reset password process sent to you from Escrow.com or go directly to Escrow.com and follow the steps outlined on our website.



Regards,

Escrow.com Security Team

 

[Windoms]

Question is how many total users does epik have.
Because 110.000 is a lot.
If 110.000 was the total users.
How many total cards were actually used on epik?
38.000?

Because Im sure many userd never made a single transaction, and others used other payment methods such as paypal from the time it was available.

Does any tech guy know how many accounts are actually on epik?

As of June 2020, GoDaddy had 20 million customers worldwide.
Namecheap has nearly "2 million customers and subscribers"
Godaddy is the #1 registrar, Namecheap is lightyears ahead of epik.
So again, does anyone know how many user accounts are they on epik?
They say this hack impacted 15 million people, customers and non-customers alike.
But given Godaddy and Namecheap numbers, 110,000 could actually be the total number of epik customers.

Godaddy

Namecheap

 

[oldtimer]

No offense, but this is just deflection. It seems very similar to trying to turn Epik's data breach issue into an ICANN issue before that.

There are uniform standards. PCI compliance.

What Epik was doing is not compatible with those standards. Period.

If you have any information about other companies blatantly violating PCI compliance, I would be more than happy to discuss that, in another thread.

Brad

Not trying to deflect, why should I,

I don't have a horse in this race either way as my thoughts are not driven by politics or profits, just trying to do what is fair and right when it comes to safeguarding the consumer (Customers and Registrants).

We can have a two track response to this situation where Epik is held accountable and reformed and for the Industry as whole to be made safer and more secure.

IMO

 

[bmugford]

Not trying to deflect, why should I,

I don't have a horse in this race either way as my thoughts are not driven by politics or profits, just trying to do what is fair and right when it comes to safeguarding the consumer (Customers and Registrants).

We can have a two track response to this situation where Epik is held accountable and reformed and for the Industry as whole to be made safer and more secure.

IMO

Open another thread then. This thread is about Epik.

I am certainly not aware of any other companies in blatant violation of PCI compliance. If you are, feel free to start a thread about it.

Brad

 

[bmugford]

As of June 2020, GoDaddy had 20 million customers worldwide.
Namecheap has nearly "2 million customers and subscribers"
Godaddy is the #1 registrar, Namecheap is lightyears ahead of epik.
So again, does anyone know how many user accounts are they on epik?
They say this hack impacted 15 million people, customers and non-customers alike.
But given Godaddy and Namecheap numbers, 110,000 could actually be the total number of epik customers.

Godaddy
Show attachment 200563

Namecheap

Show attachment 200565

When you consider Epik's total registrations, and that according to records only 2% of their transactions were over $10, and 50% were under $1... I don't think the actual customer base is likely all that large.

You can tell via the numbers above that a large percent of their registration volume appears to be via some type of low-priced promotions.

Brad

 

[astrade]

Received this email this morning.

​

Your password has been reset.

Dear ******************,



Due to the recent security breach at domain registrar Epik, we are taking the precaution to reset your password.



What has been done?

To ensure the integrity of your Escrow.com account we have triggered a password reset of your account to ensure that your account is not compromised by the data leak.

Go to Escrow.com (link disabled for this post)
Your security is our top priority as the world’s largest online escrow service. Please follow the reset password process sent to you from Escrow.com or go directly to Escrow.com and follow the steps outlined on our website.



Regards,

Escrow.com Security Team

We've received different emails apparently. Do you think that's because they have their hands on data and know which account passwords were present in the leak and which weren't?

Here is an email I've received:
https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-66#post-8408157
(EDIT: Link wasn't working)

 

[Windoms]

When you consider Epik's total registrations, and that according to records only 2% of their transactions were over $10, and 50% were under $1... I don't think the actual customer base is likely all that large.

You can tell via the numbers above that a large percent of their registration volume appears to be via some type of low-priced promotions.

Brad

To me its evident.
Godaddy 20 million customers.
Namecheap 2 million customers.
Those 2 being mega top registrars.
A new guy like epik could have 110,000 total customers, which happens to be a lot, I would have thought less. But I guess theres active customers versus # of accounts.

In other words.
All of epiks customers data might have been leaked.
Literally 100% of customers personal info.
But that, they wont say.

Because why would hackers only leak 110,000.
Why not 10,000. 30,000. Or 100,000.

We've received different emails apparently. Do you think that's because they have their hands on data and know which account passwords were present in the leak and which weren't?

Here is an email I've received:
#1639

I received the same email.
Edit: same email ad @Silentptnr , yours I cant see.

 

[Derek Peterson]

To me its evident.
Godaddy 20 million customers.
Namecheap 2 million customers.
Those 2 being mega top registrars.
A new guy like epik could have 110,000 total customers, which happens to be a lot, I would have thought less. But I guess theres active customers versus # of accounts.

In other words.
All of epiks customers data might have been leaked.
Literally 100% of customers personal info.
But that, they wont say.

Because why would hackers only leak 110,000.
Why not 10,000. 30,000. Or 100,000.


I received the same email.

Also, this data goes back 10 years so I am sure many of those accounts are long since dead. Huge percentage of people probably created account to look at interface or do one time purchase or transfer.

 

[oldtimer]

Open another thread then. This thread is about Epik.

I am certainly not aware of any other companies in blatant violation of PCI compliance. If you are, feel free to start a thread about it.

Brad

Thanks Brad, I have added my concerns and suggestions to my thread here:

https://www.namepros.com/threads/wh...ers-and-decision-makers.1176804/#post-8408307

You are welcomed to chime in.

 

[kemjika11]

Rob doesn't agree with free speech. .

....but he agrees in free speech for hate groups that cant get it anywhere else? Karma has come back to bite Epik, and from my initial post in this thread, i just wanna say - I WAS RIGHT.

 

[Windoms]

There, 2021.

Godaddy is the top registrar by domains under management.
Namecheap is second.
Then is a plethora of registrars.

Godaddy has 76 million domains, 20 million customers.
Namecheap has 12 million domains, 2 million "customers and subscribers".

On domainstate.com theres a august 2020 chart where epik is #41 on the list with 600,000 or so domains.
And that was before paypal and afternic.

Epik, 600,000 domains. Majority of domains owned by domainers with many domains per account.
Then input this data
2% of their transactions over $10, and 50% were under $1. Domainers in action.

I say theres 110,000 accounts at epik.
Be it 600,000 domains, or 1,000,000.