Dynadot

alert Epik Had A Major Breach

NameSilo
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Anyway, the whole narrative of Epik allowing sites that wouldn't exist elsewhere, or 'enabling' them is 100% bunk. They can and do exist without Epik. That narrative is like 3 years old now, and this thread is about 3 year old drama. The rogue sites that can't exist anywhere are at vanwatech, not Epik.

Epik let go of many legal sites that activists wanted to take down over the years. Albeit it took a lot of effort, registrars aren't and shouldn't be in the position to police content. I don't count spam and phishing as content, and neither do the wholesalers.

People can bump this thread 10000 times and post on twitter 10000 times until Gab/infowars/etc feels the need to move off Epik. But then they'd move to DirectNic, Eranet, Nicenic, Vanwatech, Tucows, Russian registrars, or Enom. This would just be the first in like 10 whack-a-moles, and it's taken people like 4 years to get to this point where they are struggle sessioning Epik without much pushback. (that analogy from Rob was apt despite my issues with my info being breached). So it'd take like 20 years if they wanted to do the same to the rest of the registrars, and at that point there'd be more companies popping up.

If people have major concerns about 'enabling' extremist content, they should look at reforming section 230 rather than going after the nuts and bolts of the internet. We can have a functioning internet with a reasoanbly changed section 230 that keeps website admins from harbouring or even sockpuppeting as illegal terrorists. But it's hard to have a functioning internet long term when people using domain registrars as blanket content policers...
 
Last edited:
2
•••
This is from the Epik.com TOS:

Further, You may not use the Site or the Services provided through or in connection with the Site to: (a) defame, abuse, harass, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others;
 
Last edited:
0
•••
This is from the Epik.com TOS:

Further, You may not use the Site or the Services provided through or in connection with the Site to: (a) defame, abuse, harass, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others;

All of those are crimes. If someone is doing a crime, and better yet if you know their name, that's what the authorities are for. If Epik isnt' abiding by their ToS, that's bad (I don't know), but that's not an excuse for people (not yourself but at least one other person in this thread), to wantonly hack or leak the personal info of thousands of law abiding customers. Many non-political people used the registrar, and this thread is about the breach, not ToS violations.
 
2
•••
@shoulda9393 Okay, can you tell more about the breach then?
 
0
•••
@shoulda9393 Okay, can you tell more about the breach then?
I wish I knew, because my personal info was in it, and that was a crime against me and thousands of others, including thousands of non-political people.
 
0
•••
Thanks, I guess this thread is not for you, after all. Nice to have been in touch, in any case.
Nope, this thread is best suited for the thousands of innocent domainers who had a crime commited against them by leaking their personal info, myself included.

As much as people want to make the breach about 1-2 z-list e-celebs and culture warriors who spread misinfo about Epik, that is not what this thread is about.

Anyway, yes good day and I hope you find whatever you are looking for in the thread. But I'd prefer some legal justice for the thousands of domain owners who had passwords, usernames, failed passwords, home addresses, EPP codes, email addresses, and phone numbers illegally leaked, for political reasons it appears, in some way or fashion. There's a lot of non-political people who used the service, but their info was also irresponsibly leaked, by these overzealous culture warriors.

People expect privacy when registering domain names, and breaches like this are massively illegal to thousands of people.
 
Last edited:
4
•••
I don't really see why it matters if a registrar is courting political extremism when the same is already allowed on major registrars, and the sites would have existed without Epik.

If the sites would have existed anyway, why does it matter if Epik is the one giving them a name rather than Tucows?

Registrars/hosts can have views that don't sit well with many of their customers. However, it is much different when they publicize, impose, and even use those views publicly to attract certain type of clientele. It is a well known fact that was reported on by many media outlets that Epik took on extreme websites and domains that were deplatformed by other registrars due to the extremist content. In fact, RM even operates a social media site that is a pot for hate speech, prejudice and hostility toward minorities, and other extreme views. This is what makes Epik stand apart from these other registrars. They have a reputation.
 
Last edited:
0
•••
I am getting more and more notifications that my accounts have been compromised.
 
1
•••
I am getting more and more notifications that my accounts have been compromised.
Blame the swiss bank of privacy and security.

Man boasts about privacy and security, thats dangerous territory.
Knows he's got cheap security, thats lame.
Sees GAB opportunity to make lemonade, instantly jumps on the wagon.
Claims protection of free speech, wages war and protects deviants like nazis to gain momentum, OK, thats intelligent.
Take into account he's got weak security, thats dumb. Disconnected from reality.
Literally gambling and trying lemonade in order to win while putting people's lives at stake.
Criminal behaviour.
And he doesnt give a single f*ck.
 
1
•••
I think this articulation from Derek is the best I have seen in terms of understanding his mindset.

It is probably a bit apparent that I don’t like Derek. And yet I can still love him. Similarly, I don’t like Joey Camp, Aubrey Cottle, Chad Loder, or Molly White. And yet I can still love them and I can hold an optimistic view about them. The act of sending Aubrey $444 had nothing to do with what he did, but rather it has to do with who he is: a child of the most high God. When a colleague shared the GoFundMe story, it just seemed like the obvious thing to do. After all, love conquers all. Wise as serpents. Harmless as doves.

Today's Sunday message is on "LOVE".

-Love does not lie about the security of a website and expose thousands of people's personal data to criminals and tyrants all over the world.
- Love does not cancel people on an emotional whim.
- Love does not try to silence those who tell the truth.
- Love does not defame those who tell the truth.
- Love does not threaten to sue those who tell the truth.
- Love does not try to humiliate others over personal relationship and financial struggles.
- Love does not hire people to harass and intimidate others because you didn't like what they wrote on the internet about you.

Anyway, my point is that Rob Monster is one of the most disingenuous and dishonest people I have ever encountered. He has literally done everything he can do legally and illegally to silence those you have exposed his lies short of hiring a hit man and I'm sure that has crossed his mind. I honestly can't tell if he believes the things he says and is just completely disconnected from reality or just doing it all as some kind of a troll but in any case the fact of the matter is that he has done all those things and much more. The notion that he will ever take responsibility for all his lies and the damage he has done is just naive and so is the notion that he will ever change his ways unless he is put in a box.
 
Last edited:
0
•••
This incident creates many future vulnerabilities across any internet accounts you may have. Attacks that may follow this will begin with simple credential stuffing attacks where known passwords may be used across different platforms. Then once all the data is parsed and put into a more readable format (It was pretty readable to begin with and is already in a format most could find useful) all information that is tied to you could be used to build unique wordlists that may escalate into dictionary attacks against your passwords for any site, and you maybe asking yourself well how easy is it to find all the accounts that maybe are linked to let’s say a unique username (15 seconds using a simple python tool) and with a dictionary attack how long would it take to crack my password (15-30 seconds depending on the computer cracking it and the strength of the wordlist) and the answer to that really depends on the person attempting to access the information (Is it a skid trying to sell 35,000 social security numbers to a fed and doxx people at the behest of “billionaire” investors or is it a a real hacker) and how motivated they are to attacking you. Some of you may see nothing and if you simply exercise digital hygiene and change your passwords to something that has more than 12 unique characters and enable at least two factor authentication on your online accounts, that could be the end of this breach for you except for the phishing attempts every one should be watching out for anyway. Some of you may not be so lucky and you may be under constant attack based on your world views, your human decency, and how you treat people you don’t like, for those people, the answer is not so simple. This is just an opinion… Take it with a grain of salt, or don’t.
 
Last edited:
5
•••
warning.jpg
Nxmg8m5
 
3
•••
When passwords are stored they are usually salted, where the password gets additionally encrypted, so in the event of a breach they require more time and processing to see the plaintext password. Even a salted password can be cracked easily with an optimized GPU. Passwords that are stored in plaintext are like leaving your front door open with a sign that says “Steal my shit”. Credit Card info that is stored without salting the md5 hash is like dropping cash on the ground and expecting it not to be picked up. Security is the theatre of risk management and its effectiveness boils down to the actors involved. Shitty actors lead to shitty productions.
 
3
•••
Companies should get well acquainted with the BAD model. B is for build a well engineered system as a foundation for your platform. A is for attack as in pay a team to attack your platform. D is for defend by using the knowledge gained from finding the vulnerabilities in your own system proactively and following best practices to mitigate potential threats. Always be attacking your own security. If your platform is new or rebuilt from scratch pay an external purple team to ensure synergy between your red and blue teams. Believe it or not I am not just pulling this stuff out of my ass. These terms should be known and employed by your organization, what you save from not employing or understanding these practices may make your investors happy, but the potential losses from not educating yourself on these basic fundamentals will cost you time, money and stress in the long run.
 
7
•••
Companies should get well acquainted with the BAD model. B is for build a well engineered system as a foundation for your platform. A is for attack as in pay a team to attack your platform. D is for defend by using the knowledge gained from finding the vulnerabilities in your own system proactively and following best practices to mitigate potential threats. Always be attacking your own security. If your platform is new or rebuilt from scratch pay an external purple team to ensure synergy between your red and blue teams. Believe it or not I am not just pulling this stuff out of my ass. These terms should be known and employed by your organization, what you save from not employing or understanding these practices may make your investors happy, but the potential losses from not educating yourself on these basic fundamentals will cost you time, money and stress in the long run.

I personally enjoy the security knowledge you share. We can argue about small details about algorithms being strong or weak, but the situation at Epik personally gave me salty tears.

If Epik had formed a competent Red Team immediately after the acquisition in 2011, the company could have gained access to the code much earlier. But hey, never underestimate the capabilities of the Blue Team of a foreign party who completely managed the codebase.

Thanks again.
 
5
•••
I personally enjoy the security knowledge you share. We can argue about small details about algorithms being strong or weak, but the situation at Epik personally gave me salty tears.

If Epik had formed a competent Red Team immediately after the acquisition in 2011, the company could have gained access to the code much earlier. But hey, never underestimate the capabilities of the Blue Team of a foreign party who completely managed the codebase.

Thanks again.

This is especially scary when you consider that the registrar code is what appears to have been the door that the hackers entered through into E's server. But we have seen that other services, such as hosting, have been compromised. Can you imagine the amount of financial data, banking information, that potentially was hacked from the "epik escrow" service. In addition to data stored for auto-renewals. I don't know if anyone has found any details on that.
 
Last edited:
4
•••
For those who are interested in discussing Cyber Security in general and analyzing some of the root causes that are behind the hostile environment that we are facing in the digital World (and their connections to the real World) there is now a new thread here at NamePros at:


https://www.namepros.com/threads/humanity-and-cyber-attacks.1255328/

Thread Rules:

Everyone's opinion is appreciated, but your comments must be on topic and be on the professional, constructive, and respectful side.
 
0
•••
I am trying to give a neutral perspective from a background of preventing the collection and dissemination of sensitive information for organizations that have plenty of sensitive information and many advanced persistent threats. I am not affiliated with any organization.
 
2
•••
For those who are interested in discussing Cyber Security in general and analyzing some of the root causes that are behind the hostile environment that we are facing in the digital World (and their connections to the real World) there is now a new thread here at NamePros at:


https://www.namepros.com/threads/humanity-and-cyber-attacks.1255328/

Thread Rules:

Everyone's opinion is appreciated, but your comments must be on topic and be on the professional, constructive, and respectful side.
As a customer of the Swiss Bank of Domains I would think that you may want to hear what I have to say.
 
2
•••
If this is directed at me and my comments, they have been reviewed by the bravo team mod and approved. If you don’t appreciate my comments you are free to disregard them, but I assure you they relate to this thread.

No, in no way was it directed at you.

The mods had moved some of my comments from here that were in regards to finding the root causes for the situation that has developed with the breach to another thread and I was just giving an invitation to other members who might like to discuss Cyber Security in general to visit the new thread.

Please edit your comments because you are unjustly attacking me due to a misunderstanding.

IMO
 
Last edited:
1
•••
Dear @oldtimer

It makes much more sense to discuss the security implications for Epik and their customers based on this actual data breach than to discuss cyber security in a fairly undefined other thread with "Humanity" in the title. That's a no-go for me. A renewed sales pitch for your topic is really not necessary.
 
2
•••
Back to topic. The term Advanced Persistent Threat has now been appropriately mentioned. Precisely because Rob and all Epik staff members on this forum and other forums have always been so actively sharing their personal and technical information, this may have been an important input in the reconnaissance stage, before the actual attack technically took place.

Even in this thread Rob is sharing very specific details about his personal family life. Is that really wise?

https://en.wikipedia.org/wiki/Advanced_persistent_threat
Advanced_persistent_threat_lifecycle.jpg
 
Last edited:
5
•••
Back to topic. The term advanced persistent threats has now been appropriately mentioned. Precisely because Rob and all Epik staff members on this forum and other forums have always been so actively sharing personal and technical information, this may have been an important input in the reconnaissance stage, before the actual attack technically took place.

Even in this thread Rob is sharing very specific details about his personal family life. Is that really wise?

https://en.wikipedia.org/wiki/Advanced_persistent_threat
Advanced_persistent_threat_lifecycle.jpg
My dear friend TA0003
 
1
•••
“Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.”
 
1
•••
“The future of Identity management” is a lot like the “Swiss Bank of Domains”
This will make sense to some, and is pertinent to this thread because they are both claims, made by the same company about services offered. Strongly suggest you weigh the first statement against the second and come to your own conclusions
 
2
•••
Back