alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Paul]

The hacked data is a old backup the reason for many non related to Epik accounts, that data is old it gets renewed/replaced and only some crumbles of value remain to hackers. Then hackers take helium and inflate a fairy tale baloon on (Twitter) which explodes with a simple needle leaving some rubber to play with.
Want to be on safe side (?) reissue your CC, it takes only one week for me and you get new numbers which are no longer in the data, that is how old gets renewed, go make a coffe and forget.

Since most of this pertains to technical information that I can personally check, I'll address the claims here:

• The hacked data does not appear to be particularly old. The data cuts off between February and March of this year.
• The backup contains credentials--we call these SSH keys--that could likely have been used compromise live systems, and it's entirely possible that the hacker did so prior to releasing any data publicly. It also contains various API keys which carry a similar risk.
• Casting aside whatever may be happening on Twitter, the leak contains a lot of data that was stored inappropriately or should not have been stored at all.
• There is no shortage of sensitive data in the leak.
• Much of the valuable data (in the monetary sense) appears to have been redacted by the hacker. They probably still have that data, and it remains to be seen what they'll do with it.
• Epik was also storing a lot of sensitive data in an unstructured manner. The hacker appears to have neglected to redact this unstructured data. It includes a lot of credit card numbers, personal information, and plaintext passwords--in many cases, information that should not have been stored in the clear. This is serious, and you should change your password on other websites if you use the same password elsewhere.
• There isn't much difference between compromising a full backup of this caliber and compromising a live system. For the most part, they contain the same data, and compromising one could easily lead to compromising the other.
• The breach exposes that Epik's security and privacy practices were effectively nonexistent: even the most basic security practices weren't followed in many cases. This would have been unacceptable for any registrar, but given that Epik's selling points were security and privacy, it's especially disappointing.

It seems to me it isn't Kirtaner who needs reminding this is a professional forum.

I don't think it was intended to be a threat; I think it was legitimate confusion. I considered removing the post, but I wanted to give @Kirtaner a chance to respond and set the record straight. I'm not too concerned at this point, but I don't want the thread to escalate into yet another flame war with personal attacks.

There are probably going to be some offensive questions asked without the intent to offend. (Some may also be intended to offend.) As long as @Kirtaner is okay with that and is interested in answering them, we'll try not to stand in the way.

 

[Kirtaner]

Any hints or assumptions on the technical aspects of the hack, logistics ect, or do you prefer to focus mainly on the social aspects, motives behind it?
Things like what exploit was most likely used, how long it took to download, was the supposed backup a live database as well or just sql dumps, and so on.

I'm here to answer questions in general. If I did know the logistics behind the breach, I would not answer such questions. I am making no statement as to the existence of any knowledge of such.

 

[mr-x]

The backups argument falls flat on its face when you realize there were active credentials and SSH keys present that granted access to the main Epik network and web application accounts regardless of where they were initially derived. The backup story could even be damage control. Who knows? The support portal was defaced as a response to the breach denial, even.

It seems unlikely Epik was updating SSH keys very often. Sounds like a good practice though.

 

[Kirtaner]

It seems unlikely Epik was updating SSH keys very often. Sounds like a good practice though.

Irrelevant once a threat actor has gained persistence within a system. Refreshed keys can (and will) be exfiltrated as required.

 

[mr-x]

Irrelevant once a threat actor has gained persistence within a system. Refreshed keys can (and will) be exfiltrated as required.

So it could have been a back-up but the keys were used to compromise the rest of the system? What a mess.

 

[Kirtaner]

So it could have been a back-up but the keys were used to compromise the rest of the system?

If that were the case, then it would be a good lesson on backup procedures and ensuring credentials and the like are sanitized before being moved off-site.

 

[Paul]

It’s also worth noting that while private SSH keys were present, I haven’t personally checked their validity, whether they’re password-encrypted, or what sort of access they might have. It’s also possible—though probably unlikely—that the keys aren’t real. My immediate focus right now is ensuring that the leaked data isn’t used to compromise NamePros accounts, not performing a postmortem on Epik’s behalf.

That being said, other portions of the leak demonstrate a lack of basic isolation and security; I would expect to see that same carelessness with regards to SSH keys unless proven otherwise.

 

[Evil.dll]

Any hints or assumptions on the technical aspects of the hack, logistics ect, or do you prefer to focus mainly on the social aspects, motives behind it?
Things like what exploit was most likely used, how long it took to download, was the supposed backup a live database as well or just sql dumps, and so on.

A complete lack of any semblance of security coupled with the arrogance of someone who claims to have the aforementioned, If you are looking for some complex attack that resembles the scenes from the movie swordfish, you are likely barking up the wrong tree, but considering Rob Monster with his email Rob(at)epik.com has been on credential stuffing list since 2019 and according to the leaks he seems to favor a certain password across multiple sites, it would be my assessment that this hack began with a complete lack of digital hygiene. Don’t think anyone busted out a 200 gb hard drive of rainbow tables to penetrate someone who does not even adhere to the bare minimums in risk management, for the love of god, it could have been a 17 year old skid who just learned about Sherlock and put a simple wordlist together and performed a dictionary attack. Speculating as to how it happened is obfuscation from the bigger issue which is why was this data not in compliance with PCI DSS, GDPR, CCPA and many more departures from best practices. Epik has a responsibility as a data owner to ensure the security and privacy of their customer base, as does anyone who does business in this arena. Spending your time looking for the how takes away the credit for who, and in this case the responsibility falls squarely on the shoulders of EPIK for not even having a bare minimum of risk management protocols in place to prevent such things from happening to begin with. Remind me how much salting took place on those MD5 hashes?

 

[Derek Peterson]

We could show you the enormously positive reception to Epik Fail in most MSM comments calling Anonymous heroes to the United States, but your brain would probably short circuit.

Free speech does not equate freedom from consequences and I personally hope there are lessons being learned from this event.

Don't platform fascists for short-term gain. You will end up with nothing but long-term pain.

Yeah, actually it does. That is the whole point of free speech in fact. People can express differing views without fear. Who are you to define what is and isn't a fascist and even if they were who are you to punish them for it? The other day, in the Fediverse, I saw a transsexual calling a hard core lesbian a fascist and a nazi. It is all just ridiculous virtue signaling from confused kids.

In many places of the world freedom of speech doesn't exist and it can be very dangerous for them to talk about Christianity or any other religion so they have to use anon services to talk about the persecution they are experiencing or others are experiencing so they can get help. And I mean real persecution, not just having their feelings hurt. You all probably helped dox a lot of those people. Good people are gong to lose their jobs, go to jail or even be killed. You deserve what you get kid.

BTW - The fact that you are trying to punish people for not believing like you and use fear and threats to manipulate them into believing like you actually is the very definition of a fascist, right? I get that you are probably being coerced by some intel agency but a real man would do the time and not hurt others.

 

[Windoms]

If that were the case, then it would be a good lesson on backup procedures and ensuring credentials and the like are sanitized before being moved off-site.

I have 0 technical knowledge.
If the hackers entered epik's system.
Did they have access to ALL of the data, or parts of it?
Like everyone's emails names and addresses.

 

[Paul]

Remind me how much salting took place on those MD5 hashes?

That isn't going to mean much to most people. It would be helpful if you explained it.

Yeah, actually it does. That is the whole point of free speech in fact.

As a reminder, you do not have the right to be insulting or disrespectful here--the ability to post on NamePros is a privilege, not a right, and we will very quickly take it away if you're unprofessional or continue to steer the thread off-topic.

 

[Windoms]

A complete lack of any semblance of security coupled with the arrogance of someone who claims to have the aforementioned, If you are looking for some complex attack that resembles the scenes from the movie swordfish, you are likely barking up the wrong tree, but considering Rob Monster with his email Rob(at)epik.com has been on credential stuffing list since 2019 and according to the leaks he seems to favor a certain password across multiple sites, it would be my assessment that this hack began with a complete lack of digital hygiene. Don’t think anyone busted out a 200 gb hard drive of rainbow tables to penetrate someone who does not even adhere to the bare minimums in risk management, for the love of god, it could have been a 17 year old skid who just learned about Sherlock and put a simple wordlist together and performed a dictionary attack. Speculating as to how it happened is obfuscation from the bigger issue which is why was this data not in compliance with PCI DSS, GDPR, CCPA and many more departures from best practices. Epik has a responsibility as a data owner to ensure the security and privacy of their customer base, as does anyone who does business in this arena. Spending your time looking for the how takes away the credit for who, and in this case the responsibility falls squarely on the shoulders of EPIK for not even having a bare minimum of risk management protocols in place to prevent such things from happening to begin with. Remind me how much salting took place on those MD5 hashes?

Also, who are you?
Namepros fan?
Hacker?
Etc..?

 

[Derek Peterson]

As a reminder, you do not have the right to be insulting or disrespectful here--the ability to post on NamePros is a privilege, not a right, and we will very quickly take it away if you're unprofessional or continue to steer the thread off-topic.

Didn't think I was. Ironically, just trying to defend "free speech".

 

[Paul]

Didn't think I was. Ironically, just trying to defend "free speech".

Presentation matters, and while we're granting temporary leniency for new members, we do expect you to present your opinions in a professional manner. If your statements would be inappropriate in a business meeting, then they're inappropriate here.

I'm aware we haven't caught everything--this thread tends to descend into a flame war the moment staff members look the other way--but we're not going to allow this thread to get too political, personal, or accusatory.

 

[Derek Peterson]

Presentation matters, and while we're granting temporary leniency for new members, we do expect you to present your opinions in a professional manner. If your statements would be inappropriate in a business meeting, then they're inappropriate here.

I'm aware we haven't caught everything--this thread tends to descend into a flame war the moment staff members look the other way--but we're not going to allow this thread to get too political, personal, or accusatory.

I understand, I will try to be kinder. To be clear, I am not political, I don't vote and certainly not for Mr Trump. My only concern in these things is defending free speech and protecting EVERYONE'S freedom of conscience.

The stated motivation for this hack is troubling to me and should be for everyone who cares about freedom of conscience.

 

[Molly White]

Yeah, actually it does. That is the whole point of free speech in fact. People can express differing views without fear.

I believe Kirtaner means this in the same way as:

And he's quite right. If you, say, run Holocaust denial websites, the (U.S.) government is not going to put you in jail. But the real estate agency you work for might decide they no longer wish to work with you. That is not a violation of the first amendment.

Perhaps when you said that free speech does equate freedom from consequences, you mean that you think it should, and that's a whole other conversation. But at least at the current moment, there is nothing to prevent a private company from ceasing to employ you solely because you've said things they find heinous, or a forum from removing your ability to post, or whatever else.

 

[Derek Peterson]

I believe Kirtaner means this in the same way as:

And he's quite right. If you, say, run Holocaust denial websites, the (U.S.) government is not going to put you in jail. But the real estate agency you work for might decide they no longer wish to work with you. That is not a violation of the first amendment.

Perhaps when you said that free speech does equate freedom from consequences, you mean that you think it should, and that's a whole other conversation. But at least at the current moment, there is nothing to prevent a private company from ceasing to employ you solely because you've said things they find heinous, or a forum from removing your ability to post, or whatever else.

I agree with you actually, discrimination is an essential part of freedom on conscience but don't forget it is a 2-way street and things get ugly when people abuse it.

 

[Kirtaner]

I agree with you actually, discrimination is an essential part of freedom on conscience but don't forget it is a 2-way street and things get ugly when people abuse it.

Keep in mind I am not American, we do not have the same concept of "free speech", prosecutions can and will happen due to "hate", and multiple affected groups in this breach are, in fact, terrorist organizations in my nation, treated in every way the same as, for example, ISIS. Proud Boys, etc, are terrorists here.

My work is in the domain of counter-extremism, my publicly known trail of examples being to stifle, contain, and end the damage caused by QAnon.

Consider my opinions and stance coloured by this fact, and try not to devolve into an intellectual debate on the merits of free speech. God bless.

 

[eurorealtor]

You can blame Epik for poor management, lax security but not the breach. Epik was hacked by criminals because they hate Rob's politics.

You statement makes no sense. There would be no breach if the security would be proper, so yes you can blame Epik for the breach.

 

[ArchCityAnon]

If I may clarify a couple things. Blame in these situations is rarely singular. You are both applying blame to whatever fits your narrative. There is plenty of blame to go around…
1) Yes epik is guilty of bad network security
2) Yes Rob Monster is guilty of hosting sites that result in him being politically attacked.
3) Yes the individual(s) who unlawfully intruded in a computer network are guilty as well.
It looks like you both win.
I hope that helps to support everyones baseless claims.

 

[Derek Peterson]

Keep in mind I am not American, we do not have the same concept of "free speech", prosecutions can and will happen due to "hate", and multiple affected groups in this breach are, in fact, terrorist organizations in my nation, treated in every way the same as, for example, ISIS. Proud Boys, etc, are terrorists here.

My work is in the domain of counter-extremism, my publicly known trail of examples being to stifle, contain, and end the damage caused by QAnon.

Consider my opinions and stance coloured by this fact, and try not to devolve into an intellectual debate on the merits of free speech. God bless.

So you are helping your government convict people who participate in "hate" speech? Good to know. What percentage of anonymous do you think have been caught in some online crime and forced to work for feds?

The interesting thing about all these "hacks" is that the real criminals are never exposed for actual crimes. It really seems to just be about punishing actual dissidents and people with some emotional or mental health issues and making examples of them so others live in fear of the govt and keep their heads down and allow the ever encroaching tyranny from their countries without fighting back.

For example, gab was involved in real SEC fraud to the tune of millions of dollars, dealing in CP and illegal lolicon behind paywalls and even trying to get critics, ME, killed by some of their unstable fans, for real. Those things were all easy to prove with the access the hackers had but none of it came out. Why? Because Gab is a fed honeypot meant to incite and entrap people, as is epik, proudboys and Q.

Amazing, and encouraging, how few real crimes feds can solve they didn't create.

 

[Mr. Glomar]

Good to see so much input here, from so many different perspectives.

I wonder how many people have stopped using Epik since the breach, I suspect the cost of moving away from Epik could be very high for some people, so they're probably very reluctant to move.

 

[Mr. Glomar]

So you are helping your government convict people who participate in "hate" speech? Good to know. What percentage of anonymous do you think have been caught in some online crime and forced to work for feds?

As someone with a lot of experience in identifying, vetting and recruiting hackers for a number of intelligence services I can answer question to some degree.

The answer is "very few".

It's better to recruit hackers earlier, as soon as they've been identified as having the right skills.

Most people "want to do good", and that includes "black hats".

 

[bmugford]

Good to see so much input here, from so many different perspectives.

I wonder how many people have stopped using Epik since the breach, I suspect the cost of moving away from Epik could be very high for some people, so they're probably very reluctant to move.

Yeah, that is true. If someone has hundreds or thousands of domains there, you are talking at minimum of around $9/per domain (.COM) to move them to another registrar. Some other extensions could be even more expensive.

Epik's user base seems to be basically domain investors and extreme elements. I am not sure how either group could really be comfortable with them going forward.

Many of the more extreme elements are having their connections unearthed. Connections they probably don't appreciate being made. You would think privacy would be their top concern.

Domain investors are getting lumped in with the extreme elements. Many domain investors probably have no clue about any of the drama with Epik, especially over the last few years.

Either way, how would you have confidence going forward with how Epik was handling their customer's private information?

A few pages back someone said a CC charge was rejected recently. Has any Epik customer had a successful charge in the last couple days? I am wondering if that is a one-off issue, or PCI compliance issue.

Brad

 

[Derek Peterson]

As someone with a lot of experience in identifying, vetting and recruiting hackers for a number of intelligence services I can answer question to some degree.

The answer is "very few".

It's better to recruit hackers earlier, as soon as they've been identified as having the right skills.

Most people "want to do good", and that includes "black hats".

So you are saying recruitment is more focused on identifying people with the skills who would agree with your version "good" vs coercion? I could see that being the case but I am sure velvet glove is also applied.