alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[DN Playbook]

As a security professional you should know better to make such a general statement.

We don’t need to make everyone panic and become overly anxious about their domains needlessly for the fact that as you are aware when it comes to domainers perhaps less than 5 percent of the domains in most portfolios are of such value and quality that might require the level of security that you like to see.

The majority of the domains in any given portfolio are of average value and quality which really no one (not even the hackers) is going to go through the trouble to take.

Most of the whales* who were attracted to Epik for their special prices probably have had better arrangements for their ultra premium domains because one has to be a fool to transfer around those kind of domains to save a few dollars on renewals. (* Whales are those with very large portfolios).

As far as the innocent business clients go who have a domain or two that they use for their websites it seems that the hackers have taken some precautions to keep those people safe and anyone else who might gain access to their info is probably is not going to mess with them as interfering with other people’s business is a major crime.

So that leaves only the fringe and extremist groups who most likely will still continue using Epik either because of their loyalties or the fact that they have no where else to go.

So In my opinion domainers should not worry as much about losing their domains because the majority of those domains are not worth the trouble for anyone to try to take. Although it’s probably a good idea for everyone to increase the level of security for the few super premium domains that they might have and not to move them around every time there is a special on renewals at some registrars.

So it seems that most people should worry more about losing their personal info than losing any domains.

This hack (rightfully or wrongfully *) has been more about exposing information regarding some of the far right groups rather than trying to take anyone’s domains.

* The only way that the hackers can justify their actions as being hacktivists is if they also expose some of the shortcomings and injustices in the far left, otherwise they are just being used as political tools and pawns by those who want to bring down their opposition in any which way that they can.

Disclaimer: I am not associated or affiliated with anyone. These are my opinions as a neutral and impartial observer.

IMO

@oldtimer, you're missing the point. Yes, in this particular case the most targeted are extremist players and those that made poor decisions by registering domains in the same vein. Even though they may have allowed those domains to drop, the invoices are still in the database.

You also seem to try hard to minimize this. The big picture is, if someone can do a hack of this scope, it puts a target on the registrar for others to do the same, with evil intentions.

 

[Mr. Glomar]

I'd just like to make a comment about the way this forum is run if I may.

I'm very impressed by the way this thread has been handled, it has been very fair, balanced and well-moderated. Kudos to the owners, it's nice to see, well done!

We're all learning something here and it's very helpful, thank you.

 

[bmugford]

https://twitter.com/x/status/1443644766378471424

https://twitter.com/x/status/1443646150179966977

 

[Evil.dll]

@Rob Monster, my duty is, first and foremost, to the NamePros community. As a security professional, I am skilled in analyzing breaches and am qualified to offer my opinions on the matter. That is my job.

I fully understand that this is not an easy situation for you to be in, but I have an ethical responsibility to offer assistance when and where I can. If I have made any factual errors, you are free to offer evidence to the contrary.

Your customers, many of whom participate here, are scared and looking for guidance. Vague threats toward professionals who are attempting to help them is not a healthy component of incident response.

^^^^^^^^^^This^^^^^^^^^^ I don’t know Paul, I don’t even know namepros that well, but this is much better than a four hour long narcissistic rant. Epik has a responsibility as a data owner to protect the data they are stewards of. Epik customers have a right to know how a company uses and stores their data. I will admit, I showed up for the trolling, but I am sticking around for the insight. I am not going to walk people through this with kid gloves on, because you all have google, if you are unsure of something, educate yourself on it so you don’t find yourself in this situation, if you don’t have time to educate yourself hire a competent person to explain to you how this fallout could affect your domains. By Paul’s response he is demonstrating that he understands the situation, he seems to want to assist people in their time of panic, as for his motivation to do so, only he is capable of answering that, but his response demonstrates that at least there is a competent individual that understands Incident response that is willing to engage in a rational discourse with not only his customers, but Epik customers as well. My personal assessment of this breach is that it is a catastrophic failure of a company to provide it’s users with the bare minimum of privacy protection. That is an opinion based off of 20 years of preventing the collection and dissemination of sensitive information on multiple fronts. Take it with a grain of salt.

 

[Future Sensors]

Unlike most of us (myself including), @Paul is selecting what to write or recommend extremely carefully.

Yes. Added to that @Paul has personally reported a potential vulnerability to Rob in private, before all this started.

 

[Future Sensors]

Take it with a grain of salt.

I still like this repeated advice and think you're an asset in every kitchen.

 

[Windoms]

I'm fairly certain I haven't even done that. I've been sticking to facts and analyses that are pertinent to domainers. It's normal for people who find themselves in Rob's situation to make statements that aren't ideal. There are plenty of other people pointing it out to him; there's no reason for me to join that crowd.

What I will not tolerate are vague threats toward people attempting to respond to the situation as best they can with the information at hand and assist others in doing the same. That is blatantly detrimental to his customers.

Besides "swinging for the fences" and "making lemonade", bullying and taking cheap shots at anyone who gets vocal or makes strong arguments about epik is what he does.
All in an attempt to silence through intimidation/destabilization.

Dismiss.
Keep going.
Peacefully.

 

[marijuanadomain]

No news from Epik?
So did anybody at epik going to jail or sue?

How is business now?

I don't think Epik will last long....sooner than later...out of business

 

[Evil.dll]

Yes. Added to that @Paul has personally reported a potential vulnerability to Rob in private, before all this started.

Persistence is a reoccurring theme in my line of work.

 

[Evil.dll]

Recurrent*

 

[dirk]

As a security professional you should know better to make such a general statement.

We don’t need to make everyone panic and become overly anxious about their domains needlessly for the fact that as you are aware when it comes to domainers perhaps less than 5 percent of the domains in most portfolios are of such value and quality that might require the level of security that you like to see.

The majority of the domains in any given portfolio are of average value and quality which really no one (not even the hackers) is going to go through the trouble to take.

Most of the whales* who were attracted to Epik for their special prices probably have had better arrangements for their ultra premium domains because one has to be a fool to transfer around those kind of domains to save a few dollars on renewals. (* Whales are those with very large portfolios).

As far as the innocent business clients go who have a domain or two that they use for their websites it seems that the hackers have taken some precautions to keep those people safe and anyone else who might gain access to their info is probably is not going to mess with them as interfering with other people’s business is a major crime.

So that leaves only the fringe and extremist groups who most likely will still continue using Epik either because of their loyalties or the fact that they have no where else to go.

So In my opinion domainers should not worry as much about losing their domains because the majority of those domains are not worth the trouble for anyone to try to take. Although it’s probably a good idea for everyone to increase the level of security for the few super premium domains that they might have and not to move them around every time there is a special on renewals at some registrars.

So it seems that most people should worry more about losing their personal info than losing any domains.

This hack (rightfully or wrongfully *) has been more about exposing information regarding some of the far right groups rather than trying to take anyone’s domains.

* The only way that the hackers can justify their actions as being hacktivists is if they also expose some of the shortcomings and injustices in the far left, otherwise they are just being used as political tools and pawns by those who want to bring down their opposition in any which way that they can.

Disclaimer: I am not associated or affiliated with anyone. These are my opinions as a neutral and impartial observer.

IMO

Let me ask you this, since you think people shouldn't worry too much. Do you think E will survive this as a registrar? Will they be able to come back from this? Don't mind the leaked PII, sales data, CC records, whatever. If E goes down, having a big portfolio over there is gonna hurt your business. If using E is part of your 'business model' you will be suffering. I already noticed some small portfolio holders having a hard time because of this, unloading, transferring....

So much for creating abundance.

 

[Evil.dll]

These are the 7 principles of the GDPR

• Lawfulness, fairness and transparency.
• Purpose limitation.
• Data minimisation.
• Accuracy.
• Storage limitation.
• Integrity and confidentiality (security)
• Accountability.

 

[Evil.dll]

Most security professionals know about the CIA triad
Confidentiality
Integrity
Accountability

 

[Future Sensors]

I really think that with all new developments, new data breach notifications have to be prepared for all relevant states.

 

[Digital Universe]

I wonder what will happen to Epik's "Forever Domains" they offered as a "guarantee", if for whatever reason they fail as a company on the long run...

 

[Paul]

As a security professional you should know better to make such a general statement.

It was not a general statement.

The majority of the domains in any given portfolio are of average value and quality which really no one (not even the hackers) is going to go through the trouble to take.

I am not in a position to assess the value of anyone's portfolio. My statement was with regards to the risk to domains--whether that risk is applicable or tolerable to any individual is not something I can determine. I was asked a specific question and provided a specific answer.

As far as the innocent business clients go who have a domain or two that they use for their websites it seems that the hackers have taken some precautions to keep those people safe and anyone else who might gain access to their info is probably is not going to mess with them as interfering with other people’s business is a major crime.

I addressed this by excluding people who feel they can trust the hackers.

So it seems that most people should worry more about losing their personal info than losing any domains.

The question to which I was responding was about domains, not personal info. The risk to personal info has been addressed elsewhere in this thread.

So In my opinion domainers should not worry as much about losing their domains because the majority of those domains are not worth the trouble for anyone to try to take.

That is not for me to determine. I can only speak to the risk to the domains.

This hack (rightfully or wrongfully *) has been more about exposing information regarding some of the far right groups rather than trying to take anyone’s domains.

That appears to be what the hackers stated. Whether you trust them to be honest is up to you.

 

[Future Sensors]

I wonder what will happen to Epik's "Forever Domains" they offered as a "guarantee", if for whatever reason they fail as a company on the long run...

These are some official statements about such a situation:

https://www.namepros.com/threads/epik-promotion.1242873/#post-8308123

https://www.namepros.com/threads/epik-promotion.1242873/#post-8308165

 

[Mr. Glomar]

Do you think E will survive this as a registrar?

Even if they survive "this", will they survive the "next one" and the one after that?

Even the most resilient people don't psychologically handle repeat attacks well at all, eventually most customers will conclude "enough is enough" and leave. A certain group of people will stay, but ultimately they'll be forced to leave when the business runs out of resources.

Not just customers, staff too.

Employees don't want to be associated with massive failures like this that are all over the news, and they're currently discovering a lot of stuff about their employer that they were probably oblivious to.

The level of impact these attacks will have on employees largely depends on culture, where they actually live and their family circumstances. Regardless, they'll likely be "very worried" about their future at best, which will lead to them keeping an eye out for other opportunities.

I believe the threat will persist, it isn't over yet in my opinion.

 

[Derek Peterson]

Dear Paul,

This is a note written to your highest self.

First of all, I want to acknowledge that NamePros as a community is fundamentally a force for good where industry participants have an opportunity to learn from each other and overcome challenges as they arise. I am thankful that it exists.

My reason for acquiring DNF earlier this year was not because I want to be in the forum business. I don’t. Rather it was because of what I observed to be a systematic anti-Epik bias. This troubled me and the situation at NP did not improve.

As for the most recent hack incident, we are certainly learning from it. You likely heard that we secured significant investment funding. We have not announced the full extent of the hiring and acquisitions but suffice it to say, we have been upgrading.

Already before this investment, Epik was moving swiftly to bring new innovations to the industry. Although we are not without our blind spots or shortcomings, the progress of maturing as a company was well under way.

The hack incident is relatively understood. We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit.

As I review the latest NP thread, what I find most troubling is that you are actively participating in what looks to be a concerted effort to defame and undermine Epik. In all sincerity, and in the spirit of “love thy neighbor”, this is not a good look for you.

Your name is Paul — the namesake of the man who was once Saul of Tarsus. Whoever named you likely had some awareness of Paul. It is a Biblical name. As Bible characters go, Paul is a personal favorite as he embodies the optimistic view on man’s journey.

So, why am I telling you this? Because the choices you are making will have consequences.

Epik will not perish. Our compliance team is following best practices. Our insurance coverage is ample. Our team is solid. Our domains under management continues to grow. And lastly, and most importantly, because God is on the throne.

My encouragement to you is to view your current actions and choices through an eternal lens. If souls are eternal, as I am quite sure they are, then even a $1 million “Epik Fail” bounty would not be worth it if it factored materially in your eternal path.

Finally, as I believe there are many folks who are likely damning themselves with false testimony, I would encourage a time slot that allows forum thread commenters the opporunity to go back and redact any false testimony before it is memorialized for consequence.

Regards,
Rob

Edit:

My reply:

Have I made any incorrect statements of fact? If so, please enumerate them.

His response:

Paul,

This was not a legal letter. Perhaps you have decided to make it one but please know that the note I wrote was written to your eternal soul.

Regards,
Rob

WOW! Not only is Paul's laptop in danger of hell fire from Rob's original curse because he has seen the data but now Mr Monster is cursing Paul's eternal soul for simply telling the truth.

This is a little off topic but as Fundy, Bible believing, born-again Christian I feel compelled to say that this is not the way Christians should behave. Rob Monster is not God. He has no power to curse anyone and the fact that he is threatening people with legal action (albeit subtly) and even trying to manipulate them using Christianity is just wrong, especially considering he is doing all these things to cover up truth, truth that is being told because others are more concerned for his customers than he is. Rob is the one who should be concerned about his "eternal soul".

Also, this behavior is nothing knew for Mr Monster. He has threated to sue me and others at least a half dozen times, demanded I take down videos exposing Gab, tried to get me banned from about every platform we have interacted and is constantly trying to manipulate using Christianity, which I am admittedly susceptible to but not any more with Mr Rob Monster. My hope for him is gone.

IMHO no one should ever trust Rob Monster again, not with their data, not with their domains and certainly not with anything pertaining to their eternal soul. He is not an honest man and he uses Christianity to control others and get power over them so he can take the things he wants. I have seen pastors and others in power with the same spirit and it always ends in abuse. Only after he sincerely repents and proves himself for several years serving others should anyone even consider trusting him again.

 

[Mr. Glomar]

WOW! Not only is Paul's laptop in danger of hell fire from Rob's original curse because he has seen the data but now Mr Monster is cursing Paul's eternal soul for simply telling the truth.

This is a little off topic but as Fundy, Bible believing, born-again Christian I feel compelled to say that this is not the way Christians should behave. Rob Monster is not God. He has no power to curse anyone and the fact that he is threatening people with legal action (albeit subtly) and even trying to manipulate them using Christianity is just wrong, especially considering he is doing all these things to cover up truth, truth that is being told because others are more concerned for his customers than he is. Rob is the one who should be concerned about his "eternal soul".

Also, this behavior is nothing knew for Mr Monster. He has threated to sue me and others at least a half dozen times, demanded I take down videos exposing Gab, tried to get me banned from about every platform we have interacted and is constantly trying to manipulate using Christianity, which I am admittedly susceptible to but not any more with Mr Rob Monster. My hope for him is gone.

IMHO no one should ever trust Rob Monster again, not with their data, not with their domains and certainly not with anything pertaining to their eternal soul. He is not an honest man and he uses Christianity to control others and get power over them so he can take the things he wants. I have seen pastors and others in power with the same spirit and it always ends in abuse. Only after he sincerely repents and proves himself for several years serving others should anyone even consider trusting him again.

As I watched Rob Monster in the "prayer meeting" for four hours I didn't see the apology and remorse that I was genuinely expecting to see. I saw a man that's highly skilled at "grooming", "manipulating" and "coercing" people, and came away with the impression that he usually gets away with it.

I don't see a "good" Christian, I see a dishonest liar and manipulator that I could never trust.