alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[tonyk2000]

Unlike most of us (myself including), @Paul is selecting what to write or recommend extremely carefully. His opinions are unbiased:

It's entirely possible that nothing will happen.

It is what one should expect from a security professional.

Thank you Paul.

It is possible that there is a good number of incorrect suggestions or allegations inside this 80+ pages thread. It is up to Epik to step in and provide an update, including explanation as to "who did it, how they did it, and when they did it".

 

[bmugford]

I'm fairly certain I haven't even done that. I've been sticking to facts and analyses that are pertinent to domainers. It's normal for people who find themselves in Rob's situation to make statements that aren't ideal. There are plenty of other people pointing it out to him; there's no reason for me to join that crowd.

What I will not tolerate are vague threats toward people attempting to respond to the situation as best they can with the information at hand and assist others in doing the same. That is blatantly detrimental to his customers.

I find it rather ironic for a supposed "free speech" champion to send such a letter.

What is the point exactly? It sure seems like it would be to shut down dissent via the implied threat of legal action.

Anything I have posted has been in good faith, with the information I have available at the time. Again, if you bring evidence to me that something I posted is factually incorrect, I would be more than happy to fix it.

Also, the news of this has been spread far more on Twitter than NamePros. On Twitter it can be worse as many people simply don't understand how the domain world works and can make false connections. I wonder if Twitter got the same letter?

Brad

 

[Paul]

I wasn't going to post the reply I sent, but Rob responded, and in the interest of ensuring I don't misrepresent him, I'll be editing the original post to include my reply and his response.

 

[bmugford]

I wasn't going to post the reply I sent, but Rob responded, and in the interest of ensuring I don't misrepresent him, I'll be editing the original post to include my reply and his response.

Paul,

This was not a legal letter. Perhaps you have decided to make it one but please know that the note I wrote was written to your eternal soul.

Regards,
Rob

The letter ends with the following... How is it not a legal letter?

So, why am I telling you this? Because the choices you are making will have consequences.

Epik will not perish. Our compliance team is following best practices. Our insurance coverage is ample. Our team is solid. Our domains under management continues to grow. And lastly, and most importantly, because God is on the throne.

My encouragement to you is to view your current actions and choices through an eternal lens. If souls are eternal, as I am quite sure they are, then even a $1 million “Epik Fail” bounty would not be worth it if it factored materially in your eternal path.

Finally, as I believe there are many folks who are likely damning themselves with false testimony, I would encourage a time slot that allows forum thread commenters the opporunity to go back and redact any false testimony before it is memorialized for consequence.

Regards,
Rob

I am pretty sure any reasonable person would come to the same conclusion about what is being implied / directly said there.

CC:YourEternalSoul

Brad

 

[oldtimer]

That means you have to trust one of two entities:

1. Epik
2. The hackers

If you are unable or unwilling to trust both of those entities, then you should assess the risk to your domains at Epik as being quite high even after you have rotated your passwords and other security information.

As a security professional you should know better to make such a general statement.

We don’t need to make everyone panic and become overly anxious about their domains needlessly for the fact that as you are aware when it comes to domainers perhaps less than 5 percent of the domains in most portfolios are of such value and quality that might require the level of security that you like to see.

The majority of the domains in any given portfolio are of average value and quality which really no one (not even the hackers) is going to go through the trouble to take.

Most of the whales* who were attracted to Epik for their special prices probably have had better arrangements for their ultra premium domains because one has to be a fool to transfer around those kind of domains to save a few dollars on renewals. (* Whales are those with very large portfolios).

As far as the innocent business clients go who have a domain or two that they use for their websites it seems that the hackers have taken some precautions to keep those people safe and anyone else who might gain access to their info is probably is not going to mess with them as interfering with other people’s business is a major crime.

So that leaves only the fringe and extremist groups who most likely will still continue using Epik either because of their loyalties or the fact that they have no where else to go.

So In my opinion domainers should not worry as much about losing their domains because the majority of those domains are not worth the trouble for anyone to try to take. Although it’s probably a good idea for everyone to increase the level of security for the few super premium domains that they might have and not to move them around every time there is a special on renewals at some registrars.

So it seems that most people should worry more about losing their personal info than losing any domains.

This hack (rightfully or wrongfully *) has been more about exposing information regarding some of the far right groups rather than trying to take anyone’s domains.

* The only way that the hackers can justify their actions as being hacktivists is if they also expose some of the shortcomings and injustices in the far left, otherwise they are just being used as political tools and pawns by those who want to bring down their opposition in any which way that they can.

Disclaimer: I am not associated or affiliated with anyone. These are my opinions as a neutral and impartial observer.

IMO

 

[bmugford]

As a security professional you should know better to make such a general statement.

We don’t need to make everyone panic and become overly anxious about their domains needlessly for the fact that as you are aware when it comes to domainers perhaps less than 5 percent of the domains in most portfolios are of such value and quality that might require the level of security that you like to see.

The majority of the domains in any given portfolio are of average value and quality which really no one (not even the hackers) is going to go through the trouble to take.

I don't really need to go on from there. I don't think you really understand the magnitude of this data breach.

From all reports it is almost an unprecedented event. Security and IT experts have discussed the terrible security protocols and measures being employed by Epik.

Rob takes time to send that letter to Paul, but issues no further update on the data breach which he said the following about in the same letter -

The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit

Brad

 

[bmugford]

So In my opinion domainers should not worry as much about losing their domains because the majority of those domains are not worth the trouble for anyone to try to take.

That is a pretty fucked up take in my view.

It is their property regardless of perceived value.

Brad

 

[Future Sensors]

Rob takes time to send that letter to Paul, but issues no further update on the data breach which he said the following about in the same letter

That's disturbing.

Epik really likes to use this forum for their business goals, always. The other forum that Rob talks about hardly criticizes Epik. In fact, hardly anything is said about this incident. It's a quiet place, but with a lot of freedom.

Rob to WIPO:

"However, if we lose this complaint, we will take care to critique the outcome in the public theater."​

"Thanks -- they were absolutely warned. The topic of WIPO overreach desperately needs to be exposed and they gave me a license to do exactly that. I literally told them: Here's a trap. I recommend you not step in it. If you step in it, we'll share it with the world."​

Source: https://www.namepros.com/threads/bc30-com-udrp-lost-by-namepros-member.1177875/#post-7642578
Source: https://www.namepros.com/threads/bc30-com-udrp-lost-by-namepros-member.1177875/#post-7642727​

Robert Davis (SVP of Strategy and Communications) to PayPal:

"As a clear public measurement, Epik was recognized in March as the worldwide “2020 Registrar of the Year”, outpolling GoDaddy nearly 2:1 in a survey of over 900 domain industry professionals and technology peers."​

Source: https://www.epik.com/blog/wp-content/uploads/2020/10/Letter-to-PayPal-CEO-Dan-Schulman.pdf
​

Epik website:

"Epik recognized as Best registrar worldwide in the NamePros 2020 Annual Industry Vote."​

Source: www.epik.com, frontpage.​

 

[bmugford]

"Epik recognized as Best registrar worldwide in the NamePros 2020 Annual Industry Vote."​

Source: www.epik.com, frontpage.​

They sure like flogging that in marketing.

The poll where they beat Dynadot by less than the margin of Epik employees on NamePros?
https://www.namepros.com/threads/do...gistrar-in-the-business-2020-edition.1179681/

Something must have happened between that poll in March, and the end of the year poll -
https://www.namepros.com/threads/best-favorite-registrar-end-of-year-poll.1219904

Dynadot won handily in that poll.

Brad

 

[HotKey]

Nine words we need to hear here:

We screwed up,
and are going to fix this.

Taking ownership, regardless of the intent of the breach and the backlash thereof. A solid customer base + assurances to restore order, even if it means rebuilding from the ground up, can ensure continuity in the face of chaos. Proclaiming accolades during this is actually detrimental. Pride has to take a backseat to repair.

 

[DN Playbook]

As a security professional you should know better to make such a general statement.

We don’t need to make everyone panic and become overly anxious about their domains needlessly for the fact that as you are aware when it comes to domainers perhaps less than 5 percent of the domains in most portfolios are of such value and quality that might require the level of security that you like to see.

The majority of the domains in any given portfolio are of average value and quality which really no one (not even the hackers) is going to go through the trouble to take.

Most of the whales* who were attracted to Epik for their special prices probably have had better arrangements for their ultra premium domains because one has to be a fool to transfer around those kind of domains to save a few dollars on renewals. (* Whales are those with very large portfolios).

As far as the innocent business clients go who have a domain or two that they use for their websites it seems that the hackers have taken some precautions to keep those people safe and anyone else who might gain access to their info is probably is not going to mess with them as interfering with other people’s business is a major crime.

So that leaves only the fringe and extremist groups who most likely will still continue using Epik either because of their loyalties or the fact that they have no where else to go.

So In my opinion domainers should not worry as much about losing their domains because the majority of those domains are not worth the trouble for anyone to try to take. Although it’s probably a good idea for everyone to increase the level of security for the few super premium domains that they might have and not to move them around every time there is a special on renewals at some registrars.

So it seems that most people should worry more about losing their personal info than losing any domains.

This hack (rightfully or wrongfully *) has been more about exposing information regarding some of the far right groups rather than trying to take anyone’s domains.

* The only way that the hackers can justify their actions as being hacktivists is if they also expose some of the shortcomings and injustices in the far left, otherwise they are just being used as political tools and pawns by those who want to bring down their opposition in any which way that they can.

Disclaimer: I am not associated or affiliated with anyone. These are my opinions as a neutral and impartial observer.

IMO

@oldtimer, you're missing the point. Yes, in this particular case the most targeted are extremist players and those that made poor decisions by registering domains in the same vein. Even though they may have allowed those domains to drop, the invoices are still in the database.

You also seem to try hard to minimize this. The big picture is, if someone can do a hack of this scope, it puts a target on the registrar for others to do the same, with evil intentions.

 

[Mr. Glomar]

I'd just like to make a comment about the way this forum is run if I may.

I'm very impressed by the way this thread has been handled, it has been very fair, balanced and well-moderated. Kudos to the owners, it's nice to see, well done!

We're all learning something here and it's very helpful, thank you.

 

[bmugford]

https://twitter.com/x/status/1443644766378471424

https://twitter.com/x/status/1443646150179966977

 

[Evil.dll]

@Rob Monster, my duty is, first and foremost, to the NamePros community. As a security professional, I am skilled in analyzing breaches and am qualified to offer my opinions on the matter. That is my job.

I fully understand that this is not an easy situation for you to be in, but I have an ethical responsibility to offer assistance when and where I can. If I have made any factual errors, you are free to offer evidence to the contrary.

Your customers, many of whom participate here, are scared and looking for guidance. Vague threats toward professionals who are attempting to help them is not a healthy component of incident response.

^^^^^^^^^^This^^^^^^^^^^ I don’t know Paul, I don’t even know namepros that well, but this is much better than a four hour long narcissistic rant. Epik has a responsibility as a data owner to protect the data they are stewards of. Epik customers have a right to know how a company uses and stores their data. I will admit, I showed up for the trolling, but I am sticking around for the insight. I am not going to walk people through this with kid gloves on, because you all have google, if you are unsure of something, educate yourself on it so you don’t find yourself in this situation, if you don’t have time to educate yourself hire a competent person to explain to you how this fallout could affect your domains. By Paul’s response he is demonstrating that he understands the situation, he seems to want to assist people in their time of panic, as for his motivation to do so, only he is capable of answering that, but his response demonstrates that at least there is a competent individual that understands Incident response that is willing to engage in a rational discourse with not only his customers, but Epik customers as well. My personal assessment of this breach is that it is a catastrophic failure of a company to provide it’s users with the bare minimum of privacy protection. That is an opinion based off of 20 years of preventing the collection and dissemination of sensitive information on multiple fronts. Take it with a grain of salt.

 

[Future Sensors]

Unlike most of us (myself including), @Paul is selecting what to write or recommend extremely carefully.

Yes. Added to that @Paul has personally reported a potential vulnerability to Rob in private, before all this started.

 

[Future Sensors]

Take it with a grain of salt.

I still like this repeated advice and think you're an asset in every kitchen.

 

[Windoms]

I'm fairly certain I haven't even done that. I've been sticking to facts and analyses that are pertinent to domainers. It's normal for people who find themselves in Rob's situation to make statements that aren't ideal. There are plenty of other people pointing it out to him; there's no reason for me to join that crowd.

What I will not tolerate are vague threats toward people attempting to respond to the situation as best they can with the information at hand and assist others in doing the same. That is blatantly detrimental to his customers.

Besides "swinging for the fences" and "making lemonade", bullying and taking cheap shots at anyone who gets vocal or makes strong arguments about epik is what he does.
All in an attempt to silence through intimidation/destabilization.

Dismiss.
Keep going.
Peacefully.

 

[marijuanadomain]

No news from Epik?
So did anybody at epik going to jail or sue?

How is business now?

I don't think Epik will last long....sooner than later...out of business

 

[Evil.dll]

Yes. Added to that @Paul has personally reported a potential vulnerability to Rob in private, before all this started.

Persistence is a reoccurring theme in my line of work.

 

[Evil.dll]

Recurrent*

 

[branding]

As a security professional you should know better to make such a general statement.

We don’t need to make everyone panic and become overly anxious about their domains needlessly for the fact that as you are aware when it comes to domainers perhaps less than 5 percent of the domains in most portfolios are of such value and quality that might require the level of security that you like to see.

The majority of the domains in any given portfolio are of average value and quality which really no one (not even the hackers) is going to go through the trouble to take.

Most of the whales* who were attracted to Epik for their special prices probably have had better arrangements for their ultra premium domains because one has to be a fool to transfer around those kind of domains to save a few dollars on renewals. (* Whales are those with very large portfolios).

As far as the innocent business clients go who have a domain or two that they use for their websites it seems that the hackers have taken some precautions to keep those people safe and anyone else who might gain access to their info is probably is not going to mess with them as interfering with other people’s business is a major crime.

So that leaves only the fringe and extremist groups who most likely will still continue using Epik either because of their loyalties or the fact that they have no where else to go.

So In my opinion domainers should not worry as much about losing their domains because the majority of those domains are not worth the trouble for anyone to try to take. Although it’s probably a good idea for everyone to increase the level of security for the few super premium domains that they might have and not to move them around every time there is a special on renewals at some registrars.

So it seems that most people should worry more about losing their personal info than losing any domains.

This hack (rightfully or wrongfully *) has been more about exposing information regarding some of the far right groups rather than trying to take anyone’s domains.

* The only way that the hackers can justify their actions as being hacktivists is if they also expose some of the shortcomings and injustices in the far left, otherwise they are just being used as political tools and pawns by those who want to bring down their opposition in any which way that they can.

Disclaimer: I am not associated or affiliated with anyone. These are my opinions as a neutral and impartial observer.

IMO

Let me ask you this, since you think people shouldn't worry too much. Do you think E will survive this as a registrar? Will they be able to come back from this? Don't mind the leaked PII, sales data, CC records, whatever. If E goes down, having a big portfolio over there is gonna hurt your business. If using E is part of your 'business model' you will be suffering. I already noticed some small portfolio holders having a hard time because of this, unloading, transferring....

So much for creating abundance.

 

[Evil.dll]

These are the 7 principles of the GDPR

• Lawfulness, fairness and transparency.
• Purpose limitation.
• Data minimisation.
• Accuracy.
• Storage limitation.
• Integrity and confidentiality (security)
• Accountability.

 

[Evil.dll]

Most security professionals know about the CIA triad
Confidentiality
Integrity
Accountability

 

[Future Sensors]

I really think that with all new developments, new data breach notifications have to be prepared for all relevant states.

 

[Digital Nomad]

I wonder what will happen to Epik's "Forever Domains" they offered as a "guarantee", if for whatever reason they fail as a company on the long run...