alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[internext]

Notwithstanding any issues regarding reputation, privacy, or finance (that damage is already done)

1) Are my DOMAINS (and my control over them) in any peril at all while they are still there?

2) Does this hack affect the current safety of Epik-registered domains?

 

[Paul]

After the first breach, epik claimed it was a backup or something.

That is correct, and I have no reason to doubt that claim. The second leak also appears to be a set of backups.

Then anonymous modified a page in the faq/knowledge base section

If I recall correctly, that happened before Epik even acknowledged the breach, but yes.

showing they were still deep within epik's system.

Maybe, maybe not. There's an awful lot of sensitive data here that likely could've been used to wreak havoc if the hackers were interested in doing so, and I doubt they would've had trouble compromising the live system based on what we're seeing. Whether they actually did so beyond the knowledgebase remains unknown.

I'm not aware of any conclusive evidence indicating they compromised the live system, but there are also plenty of credentials in the backups that probably could've been used to that effect.

Are my DOMAINS in any peril at all while they are still there?

Nobody can say for sure, but it doesn't look good. I would consider this a high-risk situation, but that's my opinion. It's difficult to quantify the risk because there's an information overload.

Does this hack affect the current safety of Epik-registered domains?

Yes. To what extent, nobody knows. It's entirely possible that nothing will happen.

 

[Future Sensors]

1) Are my DOMAINS (and my control over them) in any peril at all while they are still there?

A possible scenario is that your DNS is adjusted and mail ends up in a different place. This is not immediately a problem for a parked domain, but it is if you use the domain for other business activities. This is just an example, where your domain is not stolen, but adjustments are made.

 

[Derek Peterson]

I've only taken a quick glance at the data so far, but here's some preliminary information:

The leak contains disk images from five different servers. This would be similar to if someone physically removed the drive from each server and cloned it in its entirety.

The five servers have the following hostnames, which is likely an indication of their origin and purpose. These were copied directly; any misspellings are in the original data.

1. whmcs.cloudmin.wecandevelopit.com
2. noshow.cloudmin.wecandevelopit.com
3. registrar-staging.cloudmin.wecandevelopit.com
4. remotecolnsole.cloudmin.wecandevelopit.com
5. spynamesparser.cloudmin.wecandevelopit.com

Most of the images appear to have been taken in June, 2020, with the exception of noshow, which was taken in December, 2019. That makes this data older than that in the first leak. There's a good chance these were deliberate backups made by Epik.

Interesting. So looks like Vitaliy Opryshko was using his company in Montenegro to do dev and made full backup of all for them.

Does whmcs have all the login details for hosting accounts?

 

[Windoms]

Notwithstanding any issues regarding reputation, privacy, or finance (that damage is already done)

Are my DOMAINS in any peril at all while they are still there?

Does this hack affect the current safety of Epik-registered domains?

I think epik doesnt know.
From what I understand, the new data, they could have stolen it earlier.
But what if they are still inside?
I think epik really has no idea, thus the silence.

There's an awful lot of sensitive data here that likely could've been used to wreak havoc if the hackers were interested in doing so, and I doubt they would've had trouble compromising the live system based on what we're seeing. Whether they actually did so beyond the knowledgebase remains unknown.

I'm not aware of any conclusive evidence indicating they compromised the live system, but there are also plenty of credentials in the backups that probably could've been used to that effect.

And I dont see anonymous having any mercy towards epik.
Chances they played around with their system are pretty high.

If I recall correctly, that happened before Epik even acknowledged the breach, but yes.

Yes you are right..

"We are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation," an Epik representative told Ars.

"Hackers alter Epik’s knowledge base to mock company’s response
Anonymous also tampered with Epik's knowledge base to mock the company's denial of the breach."

 

[Paul]

We know sensitive, internal credentials were compromised for two reasons:

1. The hackers released many of them.
2. The hackers were able to impact a live system.

We also know that Epik has historically neglected security to an extreme degree, because that's evident in the code and data that was released.

What we don't know:

1. Has Epik been able to lock down their infrastructure in the time since they became aware of the breach?
2. Did the hackers opt to avoid compromising or interfering with live systems?

That means you have to trust one of two entities:

1. Epik
2. The hackers

If you are unable or unwilling to trust both of those entities, then you should assess the risk to your domains at Epik as being quite high even after you have rotated your passwords and other security information.

 

[Future Sensors]

We know sensitive, internal credentials were compromised for two reasons:

1. The hackers released many of them.
2. The hackers were able to impact a live system.

We also know that Epik has historically neglected security to an extreme degree, because that's evident in the code and data that was released.

What we don't know:

1. Has Epik been able to lock down their infrastructure in the time since they became aware of the breach?
2. Did the hackers opt to avoid compromising or interfering with live systems?

That means you have to trust one of two entities:

1. Epik
2. The hackers

If you are unable or unwilling to trust both of those entities, then you should assess the risk to your domains at Epik as being quite high even after you have rotated your passwords and other security information.

FWIW. Afternic's @Joe Styler already stated that they feel safe with their Escrow account at Epik. I'm still curious why they think so, maybe they've been in contact with Epik about the breach.

The spreadsheet indicated they had 338 domain names in their Escrow account at Epik at that moment.

 

[bmugford]

Alternatively, the hackers may possibly provide an updated db or server leak showing actual current number of domains registered / managed, in a week or so.... Black humor, sorry.

We know sensitive, internal credentials were compromised for two reasons:

1. The hackers released many of them.
2. The hackers were able to impact a live system.

We also know that Epik has historically neglected security to an extreme degree, because that's evident in the code and data that was released.

What we don't know:

1. Has Epik been able to lock down their infrastructure in the time since they became aware of the breach?
2. Did the hackers opt to avoid compromising or interfering with live systems?

That means you have to trust one of two entities:

1. Epik
2. The hackers

If you are unable or unwilling to trust both of those entities, then you should assess the risk to your domains at Epik as being quite high even after you have rotated your passwords and other security information.

The fundamental question Epik customers need to ask themselves is from what we already know about their security practices in the past and their response to this situation, can you trust them with your data in the future?

Brad

 

[Future Sensors]

The fundamental question Epik customers need to ask themselves is from what we already know about their security practices in the past and their response to this situation, can you trust them with your data in the future?

Imo, the biggest challenge is that management, probably with the best of intentions, has trusted certain people to set up their infrastructure. And that infrastructure is not easy to change. They were all "very talented people", and I immediately believe that there were some very talented people working at the company, but nP discussion threads with the CEO revealed technical claims that simply could not be true, or indicated that management was too easily impressed. From now on, this will not only be a technical issue, but also an HR issue.

 

[Windoms]

People have no synpathy.
Far right effect.

 

[Future Sensors]

People have no synpathy.
Far right effect.

Show attachment 200845

Interesting to know which office that should be. Epik is a company that works without offices as much as possible, if I'm correct.

 

[Paul]

Dear Paul,

This is a note written to your highest self.

First of all, I want to acknowledge that NamePros as a community is fundamentally a force for good where industry participants have an opportunity to learn from each other and overcome challenges as they arise. I am thankful that it exists.

My reason for acquiring DNF earlier this year was not because I want to be in the forum business. I don’t. Rather it was because of what I observed to be a systematic anti-Epik bias. This troubled me and the situation at NP did not improve.

As for the most recent hack incident, we are certainly learning from it. You likely heard that we secured significant investment funding. We have not announced the full extent of the hiring and acquisitions but suffice it to say, we have been upgrading.

Already before this investment, Epik was moving swiftly to bring new innovations to the industry. Although we are not without our blind spots or shortcomings, the progress of maturing as a company was well under way.

The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit.

As I review the latest NP thread, what I find most troubling is that you are actively participating in what looks to be a concerted effort to defame and undermine Epik. In all sincerity, and in the spirit of “love thy neighbor”, this is not a good look for you.

Your name is Paul — the namesake of the man who was once Saul of Tarsus. Whoever named you likely had some awareness of Paul. It is a Biblical name. As Bible characters go, Paul is a personal favorite as he embodies the optimistic view on man’s journey.

So, why am I telling you this? Because the choices you are making will have consequences.

Epik will not perish. Our compliance team is following best practices. Our insurance coverage is ample. Our team is solid. Our domains under management continues to grow. And lastly, and most importantly, because God is on the throne.

My encouragement to you is to view your current actions and choices through an eternal lens. If souls are eternal, as I am quite sure they are, then even a $1 million “Epik Fail” bounty would not be worth it if it factored materially in your eternal path.

Finally, as I believe there are many folks who are likely damning themselves with false testimony, I would encourage a time slot that allows forum thread commenters the opporunity to go back and redact any false testimony before it is memorialized for consequence.

Regards,
Rob

Edit:

My reply:

Have I made any incorrect statements of fact? If so, please enumerate them.

His response:

Paul,

This was not a legal letter. Perhaps you have decided to make it one but please know that the note I wrote was written to your eternal soul.

Regards,
Rob

 

[bmugford]

Dear Paul,

This is a note written to your highest self.

First of all, I want to acknowledge that NamePros as a community is fundamentally a force for good where industry participants have an opportunity to learn from each other and overcome challenges as they arise. I am thankful that it exists.

My reason for acquiring DNF earlier this year was not because I want to be in the forum business. I don’t. Rather it was because of what I observed to be a systematic anti-Epik bias. This troubled me and the situation at NP did not improve.

As for the most recent hack incident, we are certainly learning from it. You likely heard that we secured significant investment funding. We have not announced the full extent of the hiring and acquisitions but suffice it to say, we have been upgrading.

Already before this investment, Epik was moving swiftly to bring new innovations to the industry. Although we are not without our blind spots or shortcomings, the progress of maturing as a company was well under way.

The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit.

As I review the latest NP thread, what I find most troubling is that you are actively participating in what looks to be a concerted effort to defame and undermine Epik. In all sincerity, and in the spirit of “love thy neighbor”, this is not a good look for you.

Your name is Paul — the namesake of the man who was once Saul of Tarsus. Whoever named you likely had some awareness of Paul. It is a Biblical name. As Bible characters go, Paul is a personal favorite as he embodies the optimistic view on man’s journey.

So, why am I telling you this? Because the choices you are making will have consequences.

Epik will not perish. Our compliance team is following best practices. Our insurance coverage is ample. Our team is solid. Our domains under management continues to grow. And lastly, and most importantly, because God is on the throne.

My encouragement to you is to view your current actions and choices through an eternal lens. If souls are eternal, as I am quite sure they are, then even a $1 million “Epik Fail” bounty would not be worth it if it factored materially in your eternal path.

Finally, as I believe there are many folks who are likely damning themselves with false testimony, I would encourage a time slot that allows forum thread commenters the opporunity to go back and redact any false testimony before it is memorialized for consequence.

Regards,
Rob

Cool more God stuff from Rob. People are far more concerned about the security issues.

The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit

When are customers (and third parties), whose data was breached, going to know?

Then of course you end with a thinly veiled threat.

Brad

 

[Paul]

@Rob Monster, my duty is, first and foremost, to the NamePros community. As a security professional, I am skilled in analyzing breaches and am qualified to offer my opinions on the matter. That is my job.

I fully understand that this is not an easy situation for you to be in, but I have an ethical responsibility to offer assistance when and where I can. If I have made any factual errors, you are free to offer evidence to the contrary.

Your customers, many of whom participate here, are scared and looking for guidance. Vague threats toward professionals who are attempting to help them is not a healthy component of incident response.

 

[HotKey]

OK.. well, imo, Paul you have been nothing but forthcoming and laying out impartially. So I think I can say, thanks from all of us.

@Rob Monster not sure where this is coming from.. seems a little odd even from you. You are about truth, and I think this is what Paul has been relaying. This at the very least should be a sort of common ground. Perhaps under duress things can be misunderstood, which, is understandable under the circumstances.

 

[Beezy]

He is going to set the investor money on fire trying to sue forum moderators. Absolute GOON of a CEO.

 

[bmugford]

If I have made any factual errors, you are free to offer evidence to the contrary.

I would offer the same to @Rob Monster. My opinions are my opinions.

If I have made any factual errors in posting, please feel free to point them out and I will be happy to correct them.

Thanks,
Brad

 

[Beezy]

You didn't make any factual errors, you made fun of the fact that he put a curse on the data too many times.

 

[bmugford]

You didn't make any factual errors, you made fun of the fact that he put a curse on the data too many times.

 

[bmugford]

The first law of holes, or the law of holes, is an adage which states: "if you find yourself in a hole, stop digging". Digging a hole makes it deeper and therefore harder to get out of, which is used as a metaphor that when in an untenable position, it is best to stop making the situation worse.

 

[Future Sensors]

An important part of this discussion thread started with responses to Rob Monster's hour-long video meeting at a time when there was an urgent need for clarification on this forum. Rob indicated in this video meeting that his lawyer had advised him against doing so, but that he nevertheless went ahead with it. Almost all authoritative media have written extensively about the incidents and these media reports are reflected in this thread. Have all these media also received a letter? At key moments, Rob Monster's input was explicitly requested to give him the opportunity to tell his side of the story. I'm surprised that such a message is now being addressed to namePros.

https://blog.mollywhite.net/monster-qa/

 

[bmugford]

An important part of this discussion thread started with responses to Rob Monster's hour-long video meeting at a time when there was an urgent need for clarification on this forum. Rob indicated in this video meeting that his lawyer had advised him against doing so, but that he nevertheless went ahead with it. Almost all authoritative media have written extensively about the incidents and these media reports are reflected in this thread. Have all these media also received a letter? At key moments, Rob Monster's input was explicitly requested to give him the opportunity to tell his side of the story. I'm surprised that such a message is now being addressed to namePros.

https://blog.mollywhite.net/monster-qa/

It probably won't be long until this letter from Rob is being shared on Twitter.

You take time out of your day to send a letter like this, but not issue a further update on the data breach itself? It is a really bad look IMO.

Brad

 

[DN Playbook]

@Rob Monster, your hypocrisy is quite demonstrative. You have damned yourself by attacking perceived competitors to lure their customers to your business (without provocation), you have courted openly and given safe haven to those that declare their hatred for marginalized groups, you have spread unsupported conspiracy theories in support of those who mass murder, you have threatened individuals on this forum. To invoke God as often as you do will not give you his protection. A loving God does not look too kindly on such behavior.

 

[Kenny]

So, why am I telling you this? Because the choices you are making will have consequences.

Doesn't sound veiled at all.

The first law of holes, or the law of holes, is an adage which states: "if you find yourself in a hole, stop digging". Digging a hole makes it deeper and therefore harder to get out of, which is used as a metaphor that when in an untenable position, it is best to stop making the situation worse.

And the Golden Shovel Award goes to...
May I have the envelope please.....

Peace,
Kenny

 

[Paul]

You didn't make any factual errors, you made fun of the fact that he put a curse on the data too many times.

I'm fairly certain I haven't even done that. I've been sticking to facts and analyses that are pertinent to domainers. It's normal for people who find themselves in Rob's situation to make statements that aren't ideal. There are plenty of other people pointing it out to him; there's no reason for me to join that crowd.

What I will not tolerate are vague threats toward people attempting to respond to the situation as best they can with the information at hand and assist others in doing the same. That is blatantly detrimental to his customers.