alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[bmugford]

It might be better for Rob to let his lawyer talk on his behalf and issue press releases.

IMO

Someone needs to say something. The first hack was exposed over (2) weeks ago now with no major updates. Customers (and unrelated 3rd parties involved in the breach) are still largely in the dark.

Brad

 

[finitecrystal]

It might be better for Rob to let his lawyer talk on his behalf and issue press releases.

IMO

At this point, what Epik needs is a crack team of cyber security experts, lawyers, and PR people working together on their press releases. lol

Seriously though, I can't think of any way they could spin this that doesn't look really bad, other than to pretend it didn't happen, which also looks really bad.

 

[oldtimer]

Someone needs to say something. The first hack was exposed over (2) weeks ago now with no major updates. Customers (and unrelated 3rd parties involved in the breach) are still largely in the dark.

Brad

rightly or wrongly it seems that so far Rob is seeing this situation mostly through the political lens. At this point in time It might be a good idea for him to let his lawyer or someone else at the company address the current problems and any solutions that they might have come up with from the business and PR point of view.

IMO

 

[oldtimer]

No, that's not how email works. The routing of messages from alias to inbox is done on your mail server, the SMTP server that sent the message has nothing to do with it. Naturally you might run into issues if you abuse your own outgoing SMTP service, but that'll happen no matter what. For the average user, you shouldn't have to send an email from one of your aliases very often, so I really doubt it'll become an issue.

You might be right, but I personally don't like to use aliases. I use my main email for everything as I believe that it has more credibility and authority.

IMO

 

[finitecrystal]

You might be right, but I personally don't like to use aliases. I use my main email for everything as I believe that it has more credibility and authority.

IMO

If that makes you happy, great! Most automated systems simply don't care what email address you use, as long as it has working SMTP service and you have access to the corresponding inbox. I might as well make use of my domain to make it easier to track and eliminate junk.

 

[oldtimer]

At this point, what Epik needs is a crack team of cyber security experts, lawyers, and PR people working together on their press releases. lol

Most probably they have a team of experts working on overhauling and upgrading their security, the problem is that they don't have a PR team letting the public know on a daily basis about all the stuff that they are doing behind the scenes.

IMO

 

[finitecrystal]

Most probably they have a team of experts working on overhauling and upgrading their security, the problem is that they don't have a PR team letting the public know on a daily basis about all the stuff that they are doing behind the scenes.

IMO

I think that's what they want you to think, personally I wouldn't give them that much credit. No matter what this is a PR nightmare, but some transparency as to how they're going forward, specifically how they plan to secure their systems and avoid collecting information that they shouldn't to mitigate the extent of the damage next time, would be nice.

 

[Jona4s]

The registrar shifts will be in the ICANN reports published from January 2022 to April 2022.

Regards...jmcc

You don't need to wait until 2022.

As I explain you before, anyone can send 158.6 million TCP whois packets in under an hour, using a few IPs and a single $2 VPS.

Each packet is 65 bytes @ whois.verisign-grs.com:43

0  0  1  .  C  O  M  \r \n
30 30 31 2e 43 4f 4d 0d 0a

The answer packet ~3kb.

49 41 4e 41 20 49 44 3a 20 31 33 33 31 0d
I  A  N  A     I  D  :     1  3  3  1  .

You just need the 158.6m com from the zone file. The same with other gtlds, you can get them on czds.

And for ngtld, appears Epik has 61k https://ntldstats.com/registrar/617-Epik-Inc

The only ones missing would be cctld.

Anyone interested doesn't have to wait until 2022.

 

[oldtimer]

some transparency as to how they're going forward, specifically how they plan to secure their systems and avoid collecting information that they shouldn't to mitigate the extent of the damage next time, would be nice.

Have any of the researchers (including you) contacted Rob's lawyer to ask him about this.

IMO

 

[finitecrystal]

Have any of the researchers (including you) contacted Rob's lawyer to ask him about this.

I have not reached out to Epik or Rob Monster regarding the hack. Several journalists have and they've gotten radio silence afaik. I don't think it should be my job to make Epik communicate with their customers about how seriously (or not) they take the security of their customers' data. Honestly I don't even care, I would never trust them anyway, I'm just pontificating about what they should do.

 

[oldtimer]

I have not reached out to Epik or Rob Monster regarding the hack. Several journalists have and they've gotten radio silence afaik.

Well his lawyer might be the most rational person to reach out to for getting some answers.

I am not saying that you personally have to do this yourself, but Rob's lawyer could probably provide some answers if approached by researchers and journalists.

IMO

 

[Windoms]

Since Epik's leaks, I've had suspicious logins on my Twitter, Steam, Ubisoft and some not so known platforms, also a phishing e-mail from "my bank" (they got the bank's name right tho) that I need to change my home banking password. No damage or modifications so far (due 2-FA i guess), also no modifications on the domain names.

What's ringing my bell, is that Paypal cut them like 2 years ago, and my bank called me last year to say that Epik LLC is not a trustful company and I should consider my on going transaction (luckily I used a virtual/disposable card). Apparently they knew something.

Always liked Epik, but Rob's attitude raised a lot of red flags in my head, his "god" references, narcissistic behavior, irrational rants and the lack of communication. Just transferred out all my domains, good bye Epik, and Rob, I hope you get your lesson out of this (you better start believe in your lawyers instead of Santa Claus).

Twitter, steam, ubisoft, damn these guys are scraping hard. Maybe they're looking more adresses or saved credit cards. That dumb breach is going to f*ck lots of people. Stupid, and neglected, dumb, f*cking breach.

Silly.

We know who did it, how they did it, and when they did it. We also have a pretty good idea of why they did it and for whose benefit".

There he goes, brewing lemonade.
He's gonna come out saying it was a conspiracy against freedom and free speech. Lol.

All while forgetting the fact that epik is in deep sh*t.

Boat heading straight to niagara falls.
No art or skill will save.

Change the captain.

 

[carob]

The problem is really this is just not that feasible. People might use 50-100 different websites with logins, or more. What are you going to have a different

People are being advised here by others to change all the email addresses they use with various service providers/websites. If they are doing that anyway, they might as well supply a unique email for each service/website. Using a domain you control for email that is really easy.

Once you have set up the catchall on the domain you use for email, any unique email you create will send email to whatever email inbox you assigned to the catchall, for example, [email protected]

So if you sign up for marketing emails from, say, scarydomainmonster.com, you could on the spur of the moment supply them with [email protected] as your email and then anything they send you automatically goes to the inbox of [email protected].

 

[finitecrystal]

I am not saying that you personally have to do this yourself, but Rob's lawyer could probably provide some answers if approached by researchers and journalists.

Epik's legal team is free to communicate with the press at their leisure. I don't have Rob's attorney on speed dial.

 

[Bravo Mod Team]

1Password recently added:

Masked Email
Email addresses as unique as your passwords

Protect yourself from data breaches and spam with a unique email address for each account.

If you start receiving unwanted emails you can easily identify which services shared, leaked, or sold your email address. And, if you need to, you can simply switch it off.

Separate all your online identities and manage it all from a single account.

https://1password.com/fastmail/

 

[MadAboutDomains]

1Password recently added:

https://1password.com/fastmail/

The only issue with this is that some websites have a habit of banning the use of these types of email addresses. I've seen this for public mailbox providers like mailanator. Of course mailinator is different in that all of the mailboxes are public, maybe they'll treat this kind've thing differently.

 

[mr-x]

Do you know anything about anarchist philosophy? Do you even know what an anarchist is? Moreover, you're simply wrong. Recent hacks have revealed links between far-right organizations and the US government, which I would argue absolutely constitutes "wrong doing". I would also argue that they've "helped" at least some people, such as that real estate agency that doesn't want to have a holocaust denier working for them.

Edit by moderator: aggressive sentence removed.

Anarchist are criminals.

10's of thousands of people have been effected. That's not Epik's fault, it was anonymous who stole the data and continues to hurt people.

Philosophy is b/s. Actions speak louder than words.

Edit by moderator: personal attacks removed

 

[Jona4s]

their only crime is that of curiosity

 

[koolishman]

their only crime is that of curiosity

Whose?

 

[Future Sensors]

Epik's legal team is free to communicate with the press at their leisure. I don't have Rob's attorney on speed dial.

Data breach notifications were created after the first leak. The situation after the second leak is now even more serious and notifications must be adjusted and supplemented to reflect the current situation.

Fortunately, Epik does help "affected users". How?

Epik, please respond to their questions and concerns.