alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Paul]

I've only taken a quick glance at the data so far, but here's some preliminary information:

The leak contains disk images from five different servers. This would be similar to if someone physically removed the drive from each server and cloned it in its entirety.

The five servers have the following hostnames, which is likely an indication of their origin and purpose. These were copied directly; any misspellings are in the original data.

1. whmcs.cloudmin.wecandevelopit.com
2. noshow.cloudmin.wecandevelopit.com
3. registrar-staging.cloudmin.wecandevelopit.com
4. remotecolnsole.cloudmin.wecandevelopit.com
5. spynamesparser.cloudmin.wecandevelopit.com

Most of the images appear to have been taken in June, 2020, with the exception of noshow, which was taken in December, 2019. That makes this data older than that in the first leak. There's a good chance these were deliberate backups made by Epik.

 

[Future Sensors]

I've only taken a quick glance at the data so far, but here's some preliminary information:

The leak contains disk images from five different servers. This would be similar to if someone physically removed the drive from each server and cloned it in its entirety.

The five servers have the following hostnames, which is likely an indication of their origin and purpose. These were copied directly; any misspellings are in the original data.

1. whmcs.cloudmin.wecandevelopit.com
2. noshow.cloudmin.wecandevelopit.com
3. registrar-staging.cloudmin.wecandevelopit.com
4. remotecolnsole.cloudmin.wecandevelopit.com
5. spynamesparser.cloudmin.wecandevelopit.com

Most of the images appear to have been taken in June, 2020, with the exception of noshow, which was taken in December, 2019. That makes this data older than that in the first leak. There's a good chance these were deliberate backups made by Epik.

Thanks. I like the name, https://wecandevelopit.com/

Apparently outsourced.

 

[tonyk2000]

spynamesparser

What a good name.

A footer of Epik own whois:

All registrar data, including registrant WHOIS data, is provided for public, non-commerical use only. Any information made available by Epik Inc and its affiliate registrars shall not be collected, distributed or used for any commercial activity. Third parties to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts.

(Partial) footer of GoDaddy whois:

This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar.

 

[Paul]

What a good name.

It appears to be for http://spy-names.com/.

 

[Windoms]

I've only taken a quick glance at the data so far, but here's some preliminary information:

The leak contains disk images from five different servers. This would be similar to if someone physically removed the drive from each server and cloned it in its entirety.

The five servers have the following hostnames, which is likely an indication of their origin and purpose. These were copied directly; any misspellings are in the original data.

1. whmcs.cloudmin.wecandevelopit.com
2. noshow.cloudmin.wecandevelopit.com
3. registrar-staging.cloudmin.wecandevelopit.com
4. remotecolnsole.cloudmin.wecandevelopit.com
5. spynamesparser.cloudmin.wecandevelopit.com

Most of the images appear to have been taken in June, 2020, with the exception of noshow, which was taken in December, 2019. That makes this data older than that in the first leak. There's a good chance these were deliberate backups made by Epik.

Just want to clarify something. Im no tech guy.
After the first breach, epik claimed it was a backup or something.
Then anonymous modified a page in the faq/knowledge base section, showing they were still deep within epik's system.
Is that correct?
@Paul @Kirtaner

 

[internext]

Notwithstanding any issues regarding reputation, privacy, or finance (that damage is already done)

1) Are my DOMAINS (and my control over them) in any peril at all while they are still there?

2) Does this hack affect the current safety of Epik-registered domains?

 

[Paul]

After the first breach, epik claimed it was a backup or something.

That is correct, and I have no reason to doubt that claim. The second leak also appears to be a set of backups.

Then anonymous modified a page in the faq/knowledge base section

If I recall correctly, that happened before Epik even acknowledged the breach, but yes.

showing they were still deep within epik's system.

Maybe, maybe not. There's an awful lot of sensitive data here that likely could've been used to wreak havoc if the hackers were interested in doing so, and I doubt they would've had trouble compromising the live system based on what we're seeing. Whether they actually did so beyond the knowledgebase remains unknown.

I'm not aware of any conclusive evidence indicating they compromised the live system, but there are also plenty of credentials in the backups that probably could've been used to that effect.

Are my DOMAINS in any peril at all while they are still there?

Nobody can say for sure, but it doesn't look good. I would consider this a high-risk situation, but that's my opinion. It's difficult to quantify the risk because there's an information overload.

Does this hack affect the current safety of Epik-registered domains?

Yes. To what extent, nobody knows. It's entirely possible that nothing will happen.

 

[Future Sensors]

1) Are my DOMAINS (and my control over them) in any peril at all while they are still there?

A possible scenario is that your DNS is adjusted and mail ends up in a different place. This is not immediately a problem for a parked domain, but it is if you use the domain for other business activities. This is just an example, where your domain is not stolen, but adjustments are made.

 

[Derek Peterson]

I've only taken a quick glance at the data so far, but here's some preliminary information:

The leak contains disk images from five different servers. This would be similar to if someone physically removed the drive from each server and cloned it in its entirety.

The five servers have the following hostnames, which is likely an indication of their origin and purpose. These were copied directly; any misspellings are in the original data.

1. whmcs.cloudmin.wecandevelopit.com
2. noshow.cloudmin.wecandevelopit.com
3. registrar-staging.cloudmin.wecandevelopit.com
4. remotecolnsole.cloudmin.wecandevelopit.com
5. spynamesparser.cloudmin.wecandevelopit.com

Most of the images appear to have been taken in June, 2020, with the exception of noshow, which was taken in December, 2019. That makes this data older than that in the first leak. There's a good chance these were deliberate backups made by Epik.

Interesting. So looks like Vitaliy Opryshko was using his company in Montenegro to do dev and made full backup of all for them.

Does whmcs have all the login details for hosting accounts?

 

[Windoms]

Notwithstanding any issues regarding reputation, privacy, or finance (that damage is already done)

Are my DOMAINS in any peril at all while they are still there?

Does this hack affect the current safety of Epik-registered domains?

I think epik doesnt know.
From what I understand, the new data, they could have stolen it earlier.
But what if they are still inside?
I think epik really has no idea, thus the silence.

There's an awful lot of sensitive data here that likely could've been used to wreak havoc if the hackers were interested in doing so, and I doubt they would've had trouble compromising the live system based on what we're seeing. Whether they actually did so beyond the knowledgebase remains unknown.

I'm not aware of any conclusive evidence indicating they compromised the live system, but there are also plenty of credentials in the backups that probably could've been used to that effect.

And I dont see anonymous having any mercy towards epik.
Chances they played around with their system are pretty high.

If I recall correctly, that happened before Epik even acknowledged the breach, but yes.

Yes you are right..

"We are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation," an Epik representative told Ars.

"Hackers alter Epik’s knowledge base to mock company’s response
Anonymous also tampered with Epik's knowledge base to mock the company's denial of the breach."

 

[Paul]

We know sensitive, internal credentials were compromised for two reasons:

1. The hackers released many of them.
2. The hackers were able to impact a live system.

We also know that Epik has historically neglected security to an extreme degree, because that's evident in the code and data that was released.

What we don't know:

1. Has Epik been able to lock down their infrastructure in the time since they became aware of the breach?
2. Did the hackers opt to avoid compromising or interfering with live systems?

That means you have to trust one of two entities:

1. Epik
2. The hackers

If you are unable or unwilling to trust both of those entities, then you should assess the risk to your domains at Epik as being quite high even after you have rotated your passwords and other security information.

 

[Future Sensors]

We know sensitive, internal credentials were compromised for two reasons:

1. The hackers released many of them.
2. The hackers were able to impact a live system.

We also know that Epik has historically neglected security to an extreme degree, because that's evident in the code and data that was released.

What we don't know:

1. Has Epik been able to lock down their infrastructure in the time since they became aware of the breach?
2. Did the hackers opt to avoid compromising or interfering with live systems?

That means you have to trust one of two entities:

1. Epik
2. The hackers

If you are unable or unwilling to trust both of those entities, then you should assess the risk to your domains at Epik as being quite high even after you have rotated your passwords and other security information.

FWIW. Afternic's @Joe Styler already stated that they feel safe with their Escrow account at Epik. I'm still curious why they think so, maybe they've been in contact with Epik about the breach.

The spreadsheet indicated they had 338 domain names in their Escrow account at Epik at that moment.

 

[bmugford]

Alternatively, the hackers may possibly provide an updated db or server leak showing actual current number of domains registered / managed, in a week or so.... Black humor, sorry.

We know sensitive, internal credentials were compromised for two reasons:

1. The hackers released many of them.
2. The hackers were able to impact a live system.

We also know that Epik has historically neglected security to an extreme degree, because that's evident in the code and data that was released.

What we don't know:

1. Has Epik been able to lock down their infrastructure in the time since they became aware of the breach?
2. Did the hackers opt to avoid compromising or interfering with live systems?

That means you have to trust one of two entities:

1. Epik
2. The hackers

If you are unable or unwilling to trust both of those entities, then you should assess the risk to your domains at Epik as being quite high even after you have rotated your passwords and other security information.

The fundamental question Epik customers need to ask themselves is from what we already know about their security practices in the past and their response to this situation, can you trust them with your data in the future?

Brad

 

[Future Sensors]

The fundamental question Epik customers need to ask themselves is from what we already know about their security practices in the past and their response to this situation, can you trust them with your data in the future?

Imo, the biggest challenge is that management, probably with the best of intentions, has trusted certain people to set up their infrastructure. And that infrastructure is not easy to change. They were all "very talented people", and I immediately believe that there were some very talented people working at the company, but nP discussion threads with the CEO revealed technical claims that simply could not be true, or indicated that management was too easily impressed. From now on, this will not only be a technical issue, but also an HR issue.

 

[Windoms]

People have no synpathy.
Far right effect.

 

[Future Sensors]

People have no synpathy.
Far right effect.

Show attachment 200845

Interesting to know which office that should be. Epik is a company that works without offices as much as possible, if I'm correct.

 

[Paul]

Dear Paul,

This is a note written to your highest self.

First of all, I want to acknowledge that NamePros as a community is fundamentally a force for good where industry participants have an opportunity to learn from each other and overcome challenges as they arise. I am thankful that it exists.

My reason for acquiring DNF earlier this year was not because I want to be in the forum business. I don’t. Rather it was because of what I observed to be a systematic anti-Epik bias. This troubled me and the situation at NP did not improve.

As for the most recent hack incident, we are certainly learning from it. You likely heard that we secured significant investment funding. We have not announced the full extent of the hiring and acquisitions but suffice it to say, we have been upgrading.

Already before this investment, Epik was moving swiftly to bring new innovations to the industry. Although we are not without our blind spots or shortcomings, the progress of maturing as a company was well under way.

The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit.

As I review the latest NP thread, what I find most troubling is that you are actively participating in what looks to be a concerted effort to defame and undermine Epik. In all sincerity, and in the spirit of “love thy neighbor”, this is not a good look for you.

Your name is Paul — the namesake of the man who was once Saul of Tarsus. Whoever named you likely had some awareness of Paul. It is a Biblical name. As Bible characters go, Paul is a personal favorite as he embodies the optimistic view on man’s journey.

So, why am I telling you this? Because the choices you are making will have consequences.

Epik will not perish. Our compliance team is following best practices. Our insurance coverage is ample. Our team is solid. Our domains under management continues to grow. And lastly, and most importantly, because God is on the throne.

My encouragement to you is to view your current actions and choices through an eternal lens. If souls are eternal, as I am quite sure they are, then even a $1 million “Epik Fail” bounty would not be worth it if it factored materially in your eternal path.

Finally, as I believe there are many folks who are likely damning themselves with false testimony, I would encourage a time slot that allows forum thread commenters the opporunity to go back and redact any false testimony before it is memorialized for consequence.

Regards,
Rob

Edit:

My reply:

Have I made any incorrect statements of fact? If so, please enumerate them.

His response:

Paul,

This was not a legal letter. Perhaps you have decided to make it one but please know that the note I wrote was written to your eternal soul.

Regards,
Rob

 

[bmugford]

Dear Paul,

This is a note written to your highest self.

First of all, I want to acknowledge that NamePros as a community is fundamentally a force for good where industry participants have an opportunity to learn from each other and overcome challenges as they arise. I am thankful that it exists.

My reason for acquiring DNF earlier this year was not because I want to be in the forum business. I don’t. Rather it was because of what I observed to be a systematic anti-Epik bias. This troubled me and the situation at NP did not improve.

As for the most recent hack incident, we are certainly learning from it. You likely heard that we secured significant investment funding. We have not announced the full extent of the hiring and acquisitions but suffice it to say, we have been upgrading.

Already before this investment, Epik was moving swiftly to bring new innovations to the industry. Although we are not without our blind spots or shortcomings, the progress of maturing as a company was well under way.

The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit.

As I review the latest NP thread, what I find most troubling is that you are actively participating in what looks to be a concerted effort to defame and undermine Epik. In all sincerity, and in the spirit of “love thy neighbor”, this is not a good look for you.

Your name is Paul — the namesake of the man who was once Saul of Tarsus. Whoever named you likely had some awareness of Paul. It is a Biblical name. As Bible characters go, Paul is a personal favorite as he embodies the optimistic view on man’s journey.

So, why am I telling you this? Because the choices you are making will have consequences.

Epik will not perish. Our compliance team is following best practices. Our insurance coverage is ample. Our team is solid. Our domains under management continues to grow. And lastly, and most importantly, because God is on the throne.

My encouragement to you is to view your current actions and choices through an eternal lens. If souls are eternal, as I am quite sure they are, then even a $1 million “Epik Fail” bounty would not be worth it if it factored materially in your eternal path.

Finally, as I believe there are many folks who are likely damning themselves with false testimony, I would encourage a time slot that allows forum thread commenters the opporunity to go back and redact any false testimony before it is memorialized for consequence.

Regards,
Rob

Cool more God stuff from Rob. People are far more concerned about the security issues.

The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit

When are customers (and third parties), whose data was breached, going to know?

Then of course you end with a thinly veiled threat.

Brad

 

[Paul]

@Rob Monster, my duty is, first and foremost, to the NamePros community. As a security professional, I am skilled in analyzing breaches and am qualified to offer my opinions on the matter. That is my job.

I fully understand that this is not an easy situation for you to be in, but I have an ethical responsibility to offer assistance when and where I can. If I have made any factual errors, you are free to offer evidence to the contrary.

Your customers, many of whom participate here, are scared and looking for guidance. Vague threats toward professionals who are attempting to help them is not a healthy component of incident response.

 

[HotKey]

OK.. well, imo, Paul you have been nothing but forthcoming and laying out impartially. So I think I can say, thanks from all of us.

@Rob Monster not sure where this is coming from.. seems a little odd even from you. You are about truth, and I think this is what Paul has been relaying. This at the very least should be a sort of common ground. Perhaps under duress things can be misunderstood, which, is understandable under the circumstances.