alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Jona4s]

I made it to the top 300 customers ;D

Well it's sad to see my CC in a \"txtCC"\ field, with \"txtCVV"\. Sad story ;(

Also, Epik_Registrar_UploadedFiles_Loader seems to store documents in a directory, rather than a sql file.

Haven't seen those folders.


As for how hackers exploit servers. Gaining root access to a server is just a matter of exploiting a daemon listening and injecting shellcode. Such as an overflow in sshd found by debugging the elf, or even some vulnerable part of zend code.

What usually happens is that after a hacker gains access, a monitoring service should invoke a shutdown mechanism, such as a kernel panic. That is why Gmail servers can be hacked, but the data will almost never survive the hack.

The simple explanation for dropcatching is that it starts with the WHOIS record. There were quite a few of those in the Epik dataset. A WHOIS record will have the creation date for the domain name, its expiry date and its last modified date. When you have that data, you know when a domain name is up for renewal and likely to drop if not renewed.

It's trivial to figure domains that enter Redemption, as you know just downloading the zone file and doing sort | uniq -u, will give you the domains with changed status (deleted from zone).

As for creation_date and exp_date, you can send 150 million TCP packets to verisign whois, will give you full data in under an hour, using several IPs if needed.

So I don't think anyone gains any useful insight with the leaked 1 million whois data. Only the owner details of course.

 

[Windoms]

@DAN.COM
@Sedo
@Joe Styler

Your Escrow accounts at Epik may be compromised.

Even if they sold sexynazis.com and took hold of it.
A simple PR statement would be all it takes to save their reputation.
Meanwhile somehow might have leaked all of their customers data.
Like a kid who stole candy and knows his mother saw him, he's waiting to see how things unfold.

Will it be the end.
Or more lemonade?

 

[carob]

What I want to see is a list of the aftermarket domain sales that happened at Epik, with prices.

For instance, all .com domains where sale price was greater than, say, $100.

@Michael @Ron Jackson @GeorgeK @Joe Styler

 

[Jurgen Wolf]

Epik doesn't report anything, as I know.
And DNJournal doesn't publish .com sales below $2K.

 

[Start]

What I want to see is a list of the aftermarket domain sales that happened at Epik, with prices.

For instance, all .com domains where sale price was greater than, say, $100.

@Michael @Ron Jackson @GeorgeK @Joe Styler

That would be illegal, and very sleazy. Someone doing that is risking getting sued by either the buyers or sellers... and especially some of the buyers would include very large companies with deep pockets to sue.

Before 2-3 years ago, Epik was just a regular registrar that also had a sale system (like Dynadot, NameSilo, etc.), and even now, I bet a lot of Epik customers don't know about the controversies. The customers are victims of this hack, and there's no reason to victimize people further.

 

[jmcc]

It's trivial to figure domains that enter Redemption, as you know just downloading the zone file and doing sort | uniq -u, will give you the domains with changed status (deleted from zone).

The zone file does not include domain name status. It would be be necessary to compare the extracted lists of domain names from two zone files to detect which which domain names from the older list had been deleted. The problem is that the larger registrars, including Epik, no longer leave potentially valuable expired gTLD domain names go through the natural deletion process.

Rather than seeing a domain name drop from the zone, the first sign of a non-renewed domain name may be a change of website IP or a PPC parking/sale page instead of the previous website content. That may not even require a change to the WHOIS record if the registrar is providing DNS service. If the domain name is not hosted on the registrar's nameservers then this information will change and that may be seen in an updated set of nameservers for the domain name in both the zone file and the WHOIS record. (A slightly different kind of changed status to a deletion.) An updated WHOIS record may help determine if it was an expiration shift or the registrant moving to a new registrar. All expiring domain names are not targeted for resale. There are hundreds of millions of domain names that were registered, were deleted and were never reregistered. Some will go through the natural renewal/delete process but may be picked up by dropcatcher registrars if there is some interest in them. Think of it like a trickle-down process.

Previously, this was the cycle: registration - usage - renewal/deletion.

Now there are two paths for expired domain names:
Registration - usage - expiry (if valuable, registrar -> auction site).
Registration - usage - expiry - deletion.
After deletion, the dropcatcher registrars may quickly reregister a dropped domain name.

The "good" domain names are generally moved to auction sites for sale. Beyond the basics, (aged, short, single word, high value keyword, good backlinks, age) evaluating what is a good domain name can be a difficult task. According to some tweets, there appears to be some traffic data on Epik hosted redirects. That can be quite useful in determining potentially valuable domain names.

So I don't think anyone gains any useful insight with the leaked 1 million whois data. Only the owner details of course.

If Epik, or whoever scraped the records, was targeting potentially valuable domain names then it has done some of that research. If there is pricing, backlinks, website authority ranking data and keyword breakdowns, then it may provide a lot of insights.

Regards...jmcc

 

[Jurgen Wolf]

Already 2 weeks since this thread was started...
And volume of people with Stockholm syndrome is trending up...

 

[johnn]

The number one problem with people is "everything is about me".
They try to search the internet and prove that they know more than other people and if someone does not agree with them then they start to fight.
That's why there are a lot posts that are off topic.
They need to focus on how to get more details about the incident in order to help the victims who are the customers in this case.

And the last thing they should stop is defending Rob or Epik.
It's so obvious that Rob screwed a lot of customers so stop defending him.
If you are still in love with Rob then send him a personal love letter/email, don't post here.
Also personal attack does not make you a hero. It's just wasting people time.

 

[Windoms]

That would be illegal, and very sleazy. Someone doing that is risking getting sued by either the buyers or sellers... and especially some of the buyers would include very large companies with deep pockets to sue.

Before 2-3 years ago, Epik was just a regular registrar that also had a sale system (like Dynadot, NameSilo, etc.), and even now, I bet a lot of Epik customers don't know about the controversies. The customers are victims of this hack, and there's no reason to victimize people further.

The person sharing that info is the least of their worries.
Customers include those big domain buyers who created an account and made a purchase.
They were also leaked.
Domain. Price. Name. Address. Email. Phone number. Credit card details. Password... forget about NDA.

The info has already been made public (through epiks security measures), only a matter of time until some twitter account posts it.

 

[oldtimer]

Previously, this was the cycle: registration - usage - renewal/deletion.

Now there are two paths for expired domain names:
Registration - usage - expiry (if valuable, registrar -> auction site).
Registration - usage - expiry - deletion.
After deletion, the dropcatcher registrars may quickly reregister a dropped domain name.

I have noticed that some domains are just kept in limbo,

They don't exactly go through the expiry cycle and they don't go to auction.

It appears that some registrars want to bypass the ICANN rules in order to keep certain valuable domain names for themselves.

It used to be that Registrars were prohibited in engaging in direct competition with the Registrants over domain names,

But now that the Registrars (and some Registries) are amassing very large portfolios themselves it seems that many of the original rules are now being ignored.

IMO

 

[Kingslayer]

even though I'd say 99% of Epik customers are regular people, many of whom became customers years ago, when Epik was just another registrar and not controversial.

There’s a saying ‘You are the company you keep’.

I’m sorry but I don’t buy into the whole “99% of people who use Epik are regular people” regular people wouldn’t drink in a bar if this bar had a sign on the front door saying ‘Nazi’s/extremists welcome’ if you choose to still drink in this bar after seeing this sign, that says something about who you are as a person.

 

[jmcc]

It appears that some registrars want to bypass the ICANN rules in order to keep certain valuable domain names for themselves.

That ICANN rule on registries not owning substantial shares in registrars was changed a few years ago. Think it was just before the launch of the 2012 round of new gTLDs.

Some domain names may also be frozen due to legal action.

Regards...jmcc

 

[oldtimer]

In a way you got to feel a little sorry for Rob, I mean he had to meet all his payrolls and registrar and registry fees and all he had to work with was mainly a bunch of Nazis and Domainers.

I wonder which group was worse, at least the Nazis didn't keep twisting his arm everyday asking for discounts.

You're right @oldtimer, Nazis are less worse than domainers. LMAO

Tell me who your friends are and I'll tell you who you are.

No one twisted Rob's arms for discounts. It was a business decision to draw customers away from the competition.

That comment of yours is very surprising and very telling.

I am looking at this situation as an impartial and unbiased observer,

I don't belong to any extremist groups whether on the Right or on the Left as I believe that those who are controlled by any kind of extremist ideologies are not capable of seeing the big picture.

There is so much about Race and Racism that people don't know or that they choose to ignore.

I might open a thread to Discuss Race and Racism in the near future if that's okay with @Paul (I have promised him not to be too disruptive with my comments and threads here on NamePros).

IMO

PS: I don't want the Mods to open a thread on my behalf. I'll do it myself if and when I am ready to do so.

 

[oldtimer]

That ICANN rule on registries not owning substantial shares in registrars was changed a few years ago. Think it was just before the launch of the 2012 round of new gTLDs.

I know that, but what about the Registrars keeping the domains for themselves.

 

[bmugford]

I know that, but what about the Registrars keeping the domains for themselves.

This is nothing new. Registrars have been warehousing domains for years whether it is directly allowed or not.

Web.com (Network Solutions) & New Venture Services Corp as an example.

Brad

 

[oldtimer]

This is nothing new. Registrars have been warehousing domains for years whether it is directly allowed or not.

Web.com (Network Solutions) & New Venture Services Corp as an example.

Brad

I am talking about when the Registrars don't let the domain names go through the expiry cycle for the sole purpose of wanting to keep them for themselves.

IMO

 

[bmugford]

I am talking about when the Registrars don't let the domain names go through the expiry cycle for the sole purpose of wanting to keep them for themselves.

IMO

Yep, so am I. New Venture Services Corp basically just cherry picks the names they want to keep from Web.com portfolio over many years.

Brad

 

[oldtimer]

Yep, so am I. New Venture Services Corp basically just cherry picks the names they want to keep from Web.com portfolio over many years.

Brad

And that's okay with ICANN

 

[bmugford]

And that's okay with ICANN

Well, they have not done anything about it. There are plenty of rules and regulations registrars seem to ignore with no enforcement from their end.

Brad

 

[oldtimer]

Well, they have not done anything about it. There are plenty of rules and regulations registrars seem to ignore with no enforcement from their end.

Brad

And we all know why that is,

A lot of the people at ICANN that are responsible for watching after things like these are directly or indirectly involved with the Registrars and Registries for personal gains.

Some do it after they leave ICANN and some do it while they are still there.

IMO