alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Future Sensors]

Completely destroyed Trump's new social network in two hours flat yesterday. What'd I miss?

Probably highly on-topic in this Epik thread for two reasons. Thanks for informing.

 

[mr-x]

you court very dangerous behavior and dialogue. Eventually something bad is going to happen, directly or indirectly.

Dangerous dialog!! Oh my. The best defense against bad speech is good speech. Let people be known for their stupid ideas by contrasting them with good ideas.

I call breaking into a company, stealing their IP, exposing the private information of thousands of people bad.

 

[Evil.dll]

Thanks to Robert Monster spilling unnecessary information in the Q&A it's very easy to ID the head of the South African cybersecurity team.

Loose lips sink ships. A live stream prayer meeting, throwing clients and vendors under the bus is like pushing women and children out of the way to save yourself from the Titanic.

 

[Future Sensors]

https://web.archive.org/web/20210306071034/https://wecandevelopit.com/

Do you have any indications that other tracks besides this are being erased or modified at the moment?

 

[FernandoBMS]

Do you have any indications that other tracks besides this are being erased or modified at the moment?

No, but I didn't actively look for it either. This discovery that Rob Monster previously appeared as a partner on We Can Develop It was made by a hacker, the same hacker who discovered a drive-by attack bug on Epik's website and was ignored.

 

[Kirtaner]

Dangerous dialog!! Oh my. The best defense against bad speech is good speech. Let people be known for their stupid ideas by contrasting them with good ideas.

I call breaking into a company, stealing their IP, exposing the private information of thousands of people bad.

What companies do you run, I'd love to provide a complimentary surprise pentest.

 

[Future Sensors]

No, but I didn't actively look for it either. This discovery that Rob Monster previously appeared as a partner on We Can Develop It was made by a hacker, the same hacker who discovered a drive-by attack bug on Epik's website and was ignored.

Was that before or after the bug bounty program started @ Epik?

 

[Future Sensors]

it just dawned on me; Rob Monster lied about already having a bug bounty program during the prayer meeting. That latest update states they launched such a program on Oct 7.

Lies. Constant lies.

For liability reasons, it is essential to provide full details of such a program on all relevant Epik websites (including the Epik Labs websites). Why? Because you can't simply rely on what was said in a video meeting or on this forum, even if it was said by the CEO of Epik, who is quite a talker but not always substantive.

https://en.wikipedia.org/wiki/Responsible_disclosure

 

[FernandoBMS]

Just received this message. We already knew about We Can Develop IT having a version where Epik's name and address were used but the other ones seems like new info:

"Hi Fernando, I'd join this conversation, but I don't feel like creating an account there. Feel free to post this info, without attribution to me, if it's worthwhile...

We Can Develop IT also had a version where Epik's name and address are used:
https://web.archive.org/web/20210306071034/https://wecandevelopit.com/

Kennen created Offshore Creations under his brother's name. This is part of the origins of We Can Develop IT and/or PilgrimCS, since Vitaliy Opryshko was part of all 3 companies. At least in the US.
https://www.sos.state.co.us/biz/Bus...21094430&entityId2=20021094430&srchTyp=ENTITY

Also, does this mean anything to the domainer community? Kennen Palm formed "Domain Names International" with Denis Markov of Intersolved, Inc.
https://www.sos.state.co.us/biz/Bus...91375512&entityId2=20091375512&srchTyp=ENTITY"

 

[johnjhacking]

Just here to say that it's gnarly to see my book quoted. A friend just told me about it

I can speak on this subject - Rob Monster was asked if he had a Bug Bounty program, in which he declined to respond. I looked at all of the common places for a BBP to be hosted by Epik, but found no results. Additionally, I did not see results for a Vulnerability Disclosure Program either.

intext:"bug bounty" epik(.)com
intext:"vulnerability disclosure program" epik(.)com
intext:"vdp" epik(.)com
epik(.)com/security(.)txt (404 not found)
intext:"report a vulnerability" epik(.)com

Not exactly sure where he's running a bug bounty program and based on past interactions with him, including asking about SDLC processes and receiving the response of "I don't know what that is", I have little faith in his ability to run a program in a responsible manner.

My presumption would be that he would operate a private program (which is good) however, he would probably self-host it. Considering he doesn't know the first thing about what constitutes a data breach, I won't hesitate to say that his BBP [if he has indeed started one] will be miserable for hackers. If he can't understand basic PCI-DSS and GDPR regulations, how could one expect him to understand complex vulnerabilities?

Not maintaining a basic security point of contact is one of the easiest ways to end up with unpatched vulnerabilities sprayed all over the web. On the "contact" page - there's not even a basic POC listed for a security team - which is likely because they don't have one.

 

[FernandoBMS]

Was that before or after the bug bounty program started @ Epik?

I think it was before, it was mentioned here by Finite Crystal:

another Twitter user found at least a couple really horrible flaws, at least one of which still allowed drive-by XSS attacks on the current version of Epik's site(!!!) Epik blocked that person from logging into their bug reporting system, indicating that they still don't give a shit about security.

 

[DomainNature]

Just to give an idea of Epik hack how it looks to me, example below.

I personally don't like many Wikipedia articles, now I must go pay some hackers and delete/edit those pages per my own fit, or I will negociate with them what they should publish on their website.

For the info I have websites that are like hungry dogs, if I publish them today Wikipedia will be at the bottom of the bottoms with their lefty fairy tale agendas.

P.s. thanks for the mods for unlocking me to voice my opinions!

 

[Future Sensors]

Just here to say that it's gnarly to see my book quoted. A friend just told me about it

I can speak on this subject - Rob Monster was asked if he had a Bug Bounty program, in which he declined to respond. I looked at all of the common places for a BBP to be hosted by Epik, but found no results. Additionally, I did not see results for a Vulnerability Disclosure Program either.

intext:"bug bounty" epik(.)com
intext:"vulnerability disclosure program" epik(.)com
intext:"vdp" epik(.)com
epik(.)com/security(.)txt (404 not found)
intext:"report a vulnerability" epik(.)com

Not exactly sure where he's running a bug bounty program and based on past interactions with him, including asking about SDLC processes and receiving the response of "I don't know what that is", I have little faith in his ability to run a program in a responsible manner.

My presumption would be that he would operate a private program (which is good) however, he would probably self-host it. Considering he doesn't know the first thing about what constitutes a data breach, I won't hesitate to say that his BBP [if he has indeed started one] will be miserable for hackers. If he can't understand basic PCI-DSS and GDPR regulations, how could one expect him to understand complex vulnerabilities?

Not maintaining a basic security point of contact is one of the easiest ways to end up with unpatched vulnerabilities sprayed all over the web. On the "contact" page - there's not even a basic POC listed for a security team - which is likely because they don't have one.

Welcome! Looking forward to reading your new book soon. Send me two, and I will donate one to Epik.

 

[johnjhacking]

Welcome! Looking forward to reading your new book soon. Send me two, and I will donate one to Epik.

thanks again.

Rob Monster would not read this book if his life depended on it. He can fix this situation if he wanted to (which as it currently appears, he does not)

 

[FernandoBMS]

It's impressive how people are treated differently when they don't talk like a baby.

If you are in this thread long enough and paying attention you will know what I'm referring to.

 

[Future Sensors]

It's impressive how people are treated differently when they don't talk like a baby.

If you are in this thread long enough and paying attention you will know what I'm referring to.

I'm already trying to give 141 pages of substantive advice here, at the expense of my domain work. You could bundle them together, then you have a book. The prestige of this industry is at stake when the self-proclaimed ombudsman of domain investors, who is also CEO of Epik, continues to fail to respond. The deeply felt will to really change for once (a 'reform' as @oldtimer called it earlier) must arise at Epik at some point.

 

[johnjhacking]

It's impressive how people are treated differently when they don't talk like a baby.

If you are in this thread long enough and paying attention you will know what I'm referring to.

First and foremost, I live for the troll UwU

In all seriousness though, how many hackers, forensic analysts, journalists, engineers, and other individuals working in contingent fields will it take for Mr. Monster to respond like an adult and run through the necessary steps and resolution processes?

It wasn't just social media related websites affected. That's a gigantic part of the issue.

 

[Molly White]

Not exactly sure where he's running a bug bounty program and based on past interactions with him, including asking about SDLC processes and receiving the response of "I don't know what that is", I have little faith in his ability to run a program in a responsible manner.

My presumption would be that he would operate a private program (which is good) however, he would probably self-host it. Considering he doesn't know the first thing about what constitutes a data breach, I won't hesitate to say that his BBP [if he has indeed started one] will be miserable for hackers. If he can't understand basic PCI-DSS and GDPR regulations, how could one expect him to understand complex vulnerabilities?

I also suspected he would self-host this program, since Epik seems to be pretty keen on at least whitelabeling if not DIYing everything. But apparently they are going through BugCrowd: https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-107#post-8419504

Congratulations on the book, by the way, John! Well-timed. I suspect there are more than a few people trying to brush up on their cybersecurity after the past few months.

 

[johnjhacking]

I'm not going to lie, this is probably Monster's best move yet. Bugcrowd and leadership are a powerhouse of both the Vulnerability Disclosure and Bug Bounty Spaces. If they work with BC long enough, their vulnerability resolution processes will improve astronomically. Glad to hear that Hackerone did not respond, or this situation would worsen.
@Molly White

 

[Future Sensors]

Building from scratch seems to be another option.

 

[Future Sensors]

I'm not going to lie, this is probably Monster's best move yet.

Already a fan

 

[Kirtaner]

Are your ideas so weak you can't defend them without violence?

Every day, I wake up, and I choose violence.

 

[johnjhacking]

Building from scratch seems to be another option.

It is, although I specifically recommend against this for many reasons. Primarily because self-hosted programs don't include a dedicated triage team of people who deal with bugs all day and understand all of the various classifications of vulnerabilities. Liability and mediation also fall directly on the company, I don't recommend it unless the company is willing to hire a dedicated validation team, preferably made up of both hackers and application security engineers.

 

[Future Sensors]

You're asking a lot from their development team. But I agree.

 

[Evil.dll]

For liability reasons, it is essential to provide full details of such a program on all relevant Epik websites (including the Epik Labs websites). Why? Because you can't simply rely on what was said in a video meeting or on this forum, even if it was said by the CEO of Epik, who is quite a talker but not always substantive.

https://en.wikipedia.org/wiki/Responsible_disclosure

This is a great read.