alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[bmugford]

Did he ever point out what the inaccurate information would be in the Wikipedia article or does he just stick to these generic complaints?

You know I asked him and his Epik fanboys the same question multiple times in the first thread, and it was basically just general complaints without specifics.

@Molly White has offered many times to correct any factual errors. Just because a Wikipedia article is inconvenient for Epik, doesn't mean it is not factual.

Brad

 

[carob]

re Rob Monster's reply to Molly White:

As for the .COM it has been nullrouted for many weeks:

;YOURDADDYJOEY.COM. IN A

It is not at Epik.

I believe the site you are referencing is now sinkholed as the registrant did not transfer out despite ample transitional grace period.

What is the grace period? Is action taken by Epik not immediate and if so, why not? Can you not just cancel the domain?

As for whether or not we would re-empower, we don't have a formal "banned for life" policy. We generally subscribe to the view that most people are not beyond redemption.

Who is "we"?

 

[Molly White]

Did he ever point out what the inaccurate information would be in the Wikipedia article or does he just stick to these generic complaints?

As far back as August 2019, when I became aware he was posting on Gab about "countering Wikipedia hit-pieces", I have invited him to point out any errors or raise any concerns about the biography or the company article in whatever way he's most comfortable: by contacting me, by writing on the Wikipedia article talk page, by asking for input from uninvolved Wikipedians aside from me, whatever.

Our first communication was after such an invitation, I believe. He direct messaged me on Twitter to point out an error—in a Wikipedia article I had never edited. At the time, the Wikipedia article on Lisa Bloom said that her husband, Braden Pollock, was on the board of Gab (where it should have said Epik). I quickly corrected the error. In the same conversation, even before I had an opportunity to respond, he felt the need to say that Bloom was the daughter of "a civil rights lawyer who would have a field day with defamation". He also told me "she is a super-lawyer. Definitely not a person to annoy with libelous nonsense".

He has never pointed to any specific errors in either the Epik or the Rob Monster articles, despite my repeated invitations over two years. Regardless, I went through both articles carefully after he insisted they were erroneous to try to find any errors myself. It may be that he thinks there are errors in the source material that are being reflected into the Wikipedia article—I have also repeatedly encouraged him to provide sources that contradict any erroneous source statements, or to reach out to journalists to issue corrections (which can then be reflected into Wikipedia). He has never provided such contradictory sourcing, and hasn't specified what these errors in source material might be.

He has in the past asked for things to be added to one or the other page, but has either not been able to provide adequate independent, reliable sourcing, or has wanted things to be added that can't be supported by the sources he linked.

I don't wish to take this thread on more of a tangent about Wikipedia, but am always happy to discuss Wikipedia in more detail if I can be informative or helpful, either to do with these articles or more broadly (in another thread, on a different platform, whatever makes sense).

 

[Derek Peterson]

It has become pretty clear at this point that Rob Monster has no sense of guilt for lying about his products and services and hurting a lot of people in the process and that he never will. He has gone so far to cover up his many lies as to attack, defame and even threaten people for simply telling the truth and trying to help others post hack.

As annoying and frustrating as it is to listen to a liar and a thief caught in the act try to deflect, lie, yell and threaten his way out of responsibility, it is refreshing to know that soon this arrogant man will be fully exposed in this world and that some day God will judge his foolish, treacherous soul. There are scriptural examples of God forgiving drunkards, idolaters, adulterers, fornicators of all types and even murderers but the one class of people God had absolutely no mercy on were Christian grifters. (Acts 5. Matt 27:1-5) They were given no opportunity to repent even though they wanted to. That's why when you listen to Monster talk about the Bible and scriptural things it comes off as weird and contrived and self serving because it's all him, not God and not the Holy Ghost.

Rob Monster lied and hurt a lot of people for money and fame. He falsely accused real Children of God, he tried to manipulate believers by trying to gaslight them into doubting their own salvation and even threatened them, all in an attempt to cover up his lies. Rob Monster didn't curse any data because he doesn't have the power to do that but he has cursed himself before God that is for certain.

God has more love for all these leftists and hackers and very confused souls in that world than he does for Rob Monster. That I can prove from scripture.

 

[DN Playbook]

Control the narrative. Control the outcome.

Controlling the narrative, like free speech, is not absolute. We are seeing forceful efforts to control the narrative contrary to facts.

He has never pointed to any specific errors in either the Epik or the Rob Monster articles, despite my repeated invitations over two years. Regardless, I went through both articles carefully after he insisted they were erroneous to try to find any errors myself.

@Rob Monster, is there anything incorrect in what @Molly White states? There seems to be a pattern here.

The best way to put things to rest is to copy and paste the questions with your answers below.

 

[carob]

There are scriptural examples of God forgiving drunkards, idolaters, adulterers, fornicators of all types and even murderers but the one class of people God had absolutely no mercy on were Christian grifters. (Acts 5. Matt 27:1-5)

Have you considered the possibility that Rob Monster may have made a pact with Satan?

It's also possible that his many associations have left him open to blackmail and he has become a puppet - take your pick, extremists, Feds, Russians, Chinese, profiteers pulling the strings.

The ignoring of reported security issues might not be simple ignorance or indifference, it might be avoidance of costs. The whole point of Epik may have been to build it up and sell it on, a kind of pump and dump where admitting security issues and the costs of fixing them would make a sale harder.

 

[Future Sensors]

Operators of "hot potato" domains are strongly advised to check in with us first before seeking safe harbor at Epik.

Will you stop personally recruiting these specific customers on controversial sites from now on? It may have become apparent by now that this aspect plays an important role in the narrative.

 

[shoulda9393]

This should all be settled in the courts, not some rambling thread. Here's my opinions as an uninvolved outlooker, and I'm not insisting anyone take my advice.

I come to this thread to see general updates on Epik security and instead I find countess drama about obscure Wikipedia admins, "Anonymous", and some guy named Joey using the Epik hack as a proxy for personal disputes none of us need to know about.

If people have a legal issue with the owner of an antifa doxxing site that is legally valid, it seems they should file a legal complaint to the owner of the site, in my opinion. Not try to pretend they can use domain infrastructure long term to accomplish whatever they want. That harms the internet at large when the foundations of the web are used to settle personal disputes.

As Epik had a massive breach and if they know the hackers involved, it would make sense for them to file a criminal and/or civil complaint against the hackers instead of engaging with them in public, as the hack was indeed extremely illegal. If passwords weren't hashed at Epik, and everything was in plaintext, customers should be notified about when that will change (by email) so they can decide how to use the service in a way that protects their information safety.

ICANN or whoever regulates transfers should also get involved if EPP codes are still at risk due to what seemed to be a total server compromise, and if not, customers should be notified the EPP codes are completely safe, by email, routinely imo.

Epik should have put up a notice about the hack on their site as well rather than Namepros in my opinion. Also the emails were vague and including religious references in any of them was super unprofessional.

 

[koolishman]

This should all be settled in the courts, not some rambling thread. Here's my opinions as an uninvolved outlooker, and I'm not insisting anyone take my advice.

I come to this thread to see general updates on Epik security and instead I find countess drama about obscure Wikipedia admins, "Anonymous", and some guy named Joey using the Epik hack as a proxy for personal disputes none of us need to know about.

If people have a legal issue with the owner of an antifa doxxing site that is legally valid, it seems they should file a legal complaint to the owner of the site, in my opinion. Not try to pretend they can use domain infrastructure long term to accomplish whatever they want. That harms the internet at large when the foundations of the web are used to settle personal disputes.

As Epik had a massive breach and if they know the hackers involved, it would make sense for them to file a criminal and/or civil complaint against the hackers instead of engaging with them in public, as the hack was indeed extremely illegal. If passwords weren't hashed at Epik, and everything was in plaintext, customers should be notified about when that will change (by email) so they can decide how to use the service in a way that protects their information safety.

ICANN or whoever regulates transfers should also get involved if EPP codes are still at risk due to what seemed to be a total server compromise, and if not, customers should be notified the EPP codes are completely safe, by email, routinely imo.

Epik should have put up a notice about the hack on their site as well rather than Namepros in my opinion. Also the emails were vague and including religious references in any of them was super unprofessional.

Well put. Devoid of emotion and to the point.

 

[DN Playbook]

This should all be settled in the courts, not some rambling thread. Here's my opinions as an uninvolved outlooker, and I'm not insisting anyone take my advice.

I come to this thread to see general updates on Epik security and instead I find countess drama about obscure Wikipedia admins, "Anonymous", and some guy named Joey using the Epik hack as a proxy for personal disputes none of us need to know about.

As Epik had a massive breach and if they know the hackers involved, it would make sense for them to file a criminal and/or civil complaint against the hackers instead of engaging with them in public, as the hack was indeed extremely illegal. If passwords weren't hashed at Epik, and everything was in plaintext, customers should be notified about when that will change (by email) so they can decide how to use the service in a way that protects their information safety.

I agree with you to a point. From this thread we have learned that a class action is being explored. However, this thread is about giving us context so we can make decisions to protect ourselves. Legal cases can be settled out of court that would include an NDA. This would leave everyone else in the dark.

 

[Future Sensors]

Also, is it already clear where the hacked data was stored? I don't doubt it was stored on a server in the UK or Crimea, for example.

In their original response it was about some old remote backup. Looked like the company was downplaying the data breach a little bit. I agree that jurisdiction is an important aspect to consider in any legal proceedings. In what geographic region was PII stored and how was it protected? Cloud providers like AWS think about this all the time and offer custom solutions per region.

 

[Derek Peterson]

Have you considered the possibility that Rob Monster may have made a pact with Satan?

It's also possible that his many associations have left him open to blackmail and he has become a puppet - take your pick, extremists, Feds, Russians, Chinese, profiteers pulling the strings.

The ignoring of reported security issues might not be simple ignorance or indifference, it might be avoidance of costs. The whole point of Epik may have been to build it up and sell it on, a kind of pump and dump where admitting security issues and the costs of fixing them would make a sale harder.

Yes, with Rob Monster all things are possible. I have honestly not ever encountered someone as weak and dishonest and unrepentant as Rob Monster in a professional atmosphere. I've read about them and seen documentaries about commercial builders who used shoddy materials and bldgs collapsed, pharma execs who knowingly sold poison and covered up studies or even doctored them and fund managers who lied and destroyed people's life savings. It's always shocking to me how these people never feel sorry, they always play the victim and they always maintain an air of superiority. Monster is the same as these types but he even throws in the whole Christian schtick to help sell, which makes it all even more disgusting.

When I first spoke with Monster I figured he was just a really immature Christian, recently saved from a lifetime of partying and adultery, using carnal means, deceit, lying, covering up evil, etc for what he thought was some greater good eg. protecting free speech, defending Christians, etc, but I pretty quickly figured out he was a fraud and the whole thing was just a grift to get rich and a chance for him to finally feel important.

I do not think he is knowingly in partnership with the Devil, at least not yet, but he certainly is doing his bidding. As far as working with some other group to sell out his customers, I am sure he would and probably find a way to make himself feel like he is doing good when he does it. I still find it highly suspicious that within 60 days of getting $32,000,000 from a mystery investor, for minority stake of common in Epik, (ridiculous valuation) that a monstrous hack happens.

I sincerely believe that Rob Monster entered a reprobate state at some point in his life and is now beyond salvation. This type can learn a lot of doctrine and have some emotional experiences that make them believe they are Christians and stop participating in some sins but the fact of the matter is that they are not saved and they never will be saved. Eventually, as they fail to repent of the harm they cause and hurt to real believers they begin to accept what they are and embrace it fully. That is where Monster is at now. I was just helping sink the spiritual hook.

"Ever learning, and never able to come to the knowledge of the truth. Now as Jannes and Jambres withstood Moses, so do these also resist the truth: men of corrupt minds, reprobate concerning the faith. But they shall proceed no further: for their folly shall be manifest unto all men, as theirs also was."

 

[jberryhill]

As Epik had a massive breach and if they know the hackers involved, it would make sense for them to file a criminal and/or civil complaint against the hackers instead of engaging with them in public, as the hack was indeed extremely illegal.

There seems to be a common popular misconception that private individuals or entities can "file a criminal" complaint as some sort of an alternative or adjunct to filing a civil complaint.

To be clear, private individuals can report crimes to law enforcement authorities, but in the United States one cannot directly prosecute a criminal case. (There is a rare form of "private criminal law enforcement" called a qui tam action, but it is not worth going into not relevant to these circumstances)

Additionally, it would be way too early at this point for law enforcement authorities to have conducted a complete investigation and determined whether there are persons within their jurisdiction to prosecute, or whether the circumstances bear further and deeper investigation.

In either context, engaging with the hackers in public may indeed be something that is useful to do - particularly in the context of seeking admissions that would be useful in a civil case, but sometimes at the request of law enforcement to further their investigation.

Filing an action and enforcing one may, of course, be two different things. Tanya Gersh, for example, was awarded $14M for the abuse inflicted on her by Andrew Anglin, who became hard to find and would certainly have taken advantage of competent legal counsel to advise him on the various risks and potential practical consequences of various courses of action that Anglin might take.

But, in any event, as a private company, one does not independently pursue criminal investigation and prosecution, and there can be practical reasons for not spending money to obtain judgments against the judgment-proof. Conversely, there can be benefits to extracting useful public admissions.

 

[DN Playbook]

But, in any event, as a private company, one does not independently pursue criminal investigation and prosecution, and there can be practical reasons for not spending money to obtain judgments against the judgment-proof. Conversely, there can be benefits to extracting useful public admissions.

Taking legal action can be very costly with no guarantee as to outcome. It is a safe assumption that the hackers have concealed themselves very well and hidden their tracks. The biggest concern of RM is not going after the hackers, but protecting E's image in the court of public opinion.

 

[Future Sensors]

Let me once again link what has been said about prosecution here:

https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-117#post-8423762

 

[Derek Peterson]

- As mentioned, Epik has completed about a dozen acquisitions in the last 3 years. For strategic reasons, not all of them get announced. We do talk to a lot of folks. When we say no to a deal, it is often due to bad cultural fit, e.g. a Dutch company that has gone on to become stronger after some transitional assistance.

Monster is a bottom feeder and about all of his "acquisitions" have failed. Most of the time he just pretends to be interested in M/A deal and is just fishing for info. For example, Sybil hosting "company" was a couple of teens hosting lolicon and doing about $2,500/month in revenues, half of which was Gab. Bitmitigate, which he purchased from Nic Lim was in essence dead within months b/c Nic quickly quit and relaunched an upgraded version.

- I don't actually recall having any M&A discussion with Derek. If any such discussion occurred, it would have been very preliminary. In general, we don't do a lot of partnerships. We either build or we acquire. In the case of Derek, it is safe to say that there would not have been a cultural fit.

More deceit from Monster. I never said I ever entered into M/A discussion with Monster or Epik. What I said was that Monster entered into M/A discussions with Ray Vahey of BitChute and Ray asked my advice on how to handle. I told Ray that Monster is a dishonest person and a bottom feeder and that he is just fishing for info on how BitChute operations work so he could launch competing service and I suggested he require a signed LOI with non-refundable 10% deposit. Ray did that and Monster slithered back into the shadows.

 

[Windoms]

For example, earlier today, I interviewed a retired US Major General with a deep background in security, including cybersecurity.

Is that true?

- Daily transfers in continue to outpace transfers out many times over. This pattern has been steady and domains under management continues to rise.

Are you transferring your own domains into epik?

- The escrow business is doing just fine. So far today no less than 5 transactions started with transaction sizes above $100K each. With crypto booming, much of this is crypto-related. As far as I know, Epik is the only registrar-escrow that is also integrated as a licensed crypto exchange.

Thats a lot of 100k sales in one day, for a dangerous platform.

- There will be no re-brand of Epik.com. The Epik brand continues to be healthy. Brand awareness is higher than ever. Our product and service are good and improving. We don't need to be everyone's cup of tea to have a sustainable enterprise. I was encouraged by this poll today:

Thats confident.

But usually, fake it til you make it tech CEOs aren't in crazy deep shit, with so many healthy alternatives available.

You are not grasping reality.

 

[Molly White]

Looks like Joey Camp has been hosting his doxing sites at Epik, in addition to just using Epik domains. Why are you continuing to provide him hosting and other services, @Rob Monster?

https://twitter.com/x/status/1449487872181116931

https://twitter.com/x/status/1449489268838182914

 

[shoulda9393]

There seems to be a common popular misconception that private individuals or entities can "file a criminal" complaint as some sort of an alternative or adjunct to filing a civil complaint.

To be clear, private individuals can report crimes to law enforcement authorities, but in the United States one cannot directly prosecute a criminal case. (There is a rare form of "private criminal law enforcement" called a qui tam action, but it is not worth going into not relevant to these circumstances)

Additionally, it would be way too early at this point for law enforcement authorities to have conducted a complete investigation and determined whether there are persons within their jurisdiction to prosecute, or whether the circumstances bear further and deeper investigation.

In either context, engaging with the hackers in public may indeed be something that is useful to do - particularly in the context of seeking admissions that would be useful in a civil case, but sometimes at the request of law enforcement to further their investigation.

Filing an action and enforcing one may, of course, be two different things. Tanya Gersh, for example, was awarded $14M for the abuse inflicted on her by Andrew Anglin, who became hard to find and would certainly have taken advantage of competent legal counsel to advise him on the various risks and potential practical consequences of various courses of action that Anglin might take.

But, in any event, as a private company, one does not independently pursue criminal investigation and prosecution, and there can be practical reasons for not spending money to obtain judgments against the judgment-proof. Conversely, there can be benefits to extracting useful public admissions.

What I meant was he should report it to law enforcement if he hasn't already or file a lawsuit or and then after that just care to his customers, not the hackers or trolls or people with gripes about websites using registrars.

There is no benefit to Rob in interacting with the many trolls on here who want his business to collapse for ideological reasons, many of whom liked the posts here deterring him from perusing legal action against people both defaming his business and quite literally compromising all of it. Every time he interacts with people tangential to hackers or leakers, he is making it seem like he had to do x or y to avoid the hack, when in reality, no one should have hacked, seeded, shared, or even downloaded the highly sensitive personal info of thousands of people (including passwords, phone numbers, addresses and failed passwords of many leftists and liberal domain owners, not just right-wingers).

With regards to other posts above this one about whether Rob is himself a good person, I don't know, and don't care because his business was large enough that I could buy a few domains without worrying about that. Most of us don't use single registrars and don't care about the political leanings of registrars unless we have really weird domains. The main issue for domain owners were technical aspects like his password hashing, not his personal opinions imo.

All he's doing right now by responding to them is feeding the egos of internet junkies and people with personal vendettas they want to utilize the Epik leak for.

This is a domain forum, not a forum about *sites that use domains* or about the moral merits of Rob potentially profiting of hate speech sites (like Tucows and every other registrar does) or the drama that led up to the hack. Having a few domains on Epik, I'd just want to know what to do as a domain owner. Am I supposed to not use my password at Epik anywhere else, should I transfer out, should I not purchase anything with a credit card?

And this Twitter circus should stay on Twitter so us lurkers don't have to go through hundreds of posts to figure out the current status of Epik security.

 

[FernandoBMS]

I don't see any trolls in this thread and all the questions asked are legitimate and Epik's spokesperson or CEO should indeed answer them.