alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Future Sensors]

I'm not going to lie, this is probably Monster's best move yet.

Already a fan

 

[Kirtaner]

Are your ideas so weak you can't defend them without violence?

Every day, I wake up, and I choose violence.

 

[johnjhacking]

Building from scratch seems to be another option.

It is, although I specifically recommend against this for many reasons. Primarily because self-hosted programs don't include a dedicated triage team of people who deal with bugs all day and understand all of the various classifications of vulnerabilities. Liability and mediation also fall directly on the company, I don't recommend it unless the company is willing to hire a dedicated validation team, preferably made up of both hackers and application security engineers.

 

[Future Sensors]

You're asking a lot from their development team. But I agree.

 

[Evil.dll]

For liability reasons, it is essential to provide full details of such a program on all relevant Epik websites (including the Epik Labs websites). Why? Because you can't simply rely on what was said in a video meeting or on this forum, even if it was said by the CEO of Epik, who is quite a talker but not always substantive.

https://en.wikipedia.org/wiki/Responsible_disclosure

This is a great read.

 

[Future Sensors]

BugCrowd has the experience and is used to work with foreign developers like the dedicated team over at We Can Develop IT.

 

[Future Sensors]

@johnjhacking Now you're here, virtually that is, what's your professional opinion on the elite guys from Cybermarks?

 

[johnjhacking]

@johnjhacking Now you're here, virtually that is, what's your professional opinion on the elite guys from Cybermarks?

Do you have any references? I haven't particularly been keeping up with every single bit of this conversation. I'm going to need my memory jogged on that name.

 

[Future Sensors]

Do you have any references? I haven't particularly been keeping up with every single bit of this conversation. I'm going to need my memory jogged on that name.

It's the newly formed security company at Epik. Discussed in the Monster video and the last few pages in this thread. Enjoy. Your professional opinion is welcome. They are elite guys.

 

[Future Sensors]

I'm going to need my memory jogged on that name.

If you can't find the time, I will accept this as an answer as well.

 

[FernandoBMS]

"Monster: I’m there! We already have a bug bounty program. So if you find stuff that’s weakly executed…

Jackson: …what?

High Fidelity: You have a bug bounty program?

Monster: We do!

Jackson: Where?

Monster: So right now it’s just an email, but we also are… [email protected] But what we are also doing, we actually have a software team… We have a cybersecurity team, believe it or not.

Unidentified SC3:02:39: You should fire them.

Unidentified: [laughing]

Jackson: Yes. Yes yes yes.

Monster: I’m telling you! We’ve just hired and assembled a team. A crack team from South Africa.

Jackson, SC3:02:53: From South Africa?? You guys are gonna get popped again! Their government just got fucking ransomwared!

[crosstalk]"

 

[Future Sensors]

@johnjhacking We have a problem!

I was talking about rebuilding the entire company codebase from scratch, while your answer was probably about self-hosting or outsourcing their Bug Bounty program. Is that correct?

ref:

 

[johnjhacking]

Right, I forgot about that. Thanks for the reminder. Yes - they most certainly need a new security team, or a reshift in focus which it sounds like they are doing. When he said "crack team" he must mean literally because...well do the math.

Yes an email distro that's not publicly facing. Where are users supposed to find that? Contact the company each time an issue is identified? It's not sustainable. @FernandoBMS

 

[johnjhacking]

@johnjhacking We have a problem!

I was talking about rebuilding the entire company codebase from scratch, while your answer was probably about self-hosting or outsourcing their Bug Bounty program. Is that correct?

ref:

Show attachment 202495

Correct. Yes, that will likely have to happen.

 

[Future Sensors]

Do you have any references?

The discussion on Epik Cybermarks in this thread starts with this posting:

https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-138#post-8431403

 

[Derek Peterson]

Could someone technically inclined please make a list of all the specific things that Monster/Epik did and didn't do that they should have done? eg. saving failed login attempts in clear text or at all, saving credit card details on their own server. Perhaps in order from most to least egregious.

 

[Future Sensors]

Just to give an idea of Epik hack how it looks to me, example below.

I personally don't like many Wikipedia articles, now I must go pay some hackers and delete/edit those pages per my own fit, or I will negociate with them what they should publish on their website.

For the info I have websites that are like hungry dogs, if I publish them today Wikipedia will be at the bottom of the bottoms with their lefty fairy tale agendas.

P.s. thanks for the mods for unlocking me to voice my opinions!

Hi @iTesla

I understand that there is some content on Wikipedia that is not to your liking and want to see it changed. But what do you mean with 'pay some hackers' in relation to Wikipedia? For what services are you paying hackers?

 

[Molly White]

I personally don't like many Wikipedia articles, now I must go pay some hackers and delete/edit those pages per my own fit, or I will negociate with them what they should publish on their website.

It sounds like you are being scammed.

 

[DN Playbook]

As far as you accusing me of gloating simply because I agreed to a post by @Kirtaner is simply outrageous. The hack did reveal gross negligence by the company and exposed to customers and potential customers how poorly their data was being protected, the type of personal data stored, and how it was being stored, and alert non-customers that their data was being harvested as well. Hopefully forcing Epik to do something about it. The datasets were released because RM at first denied it and later downplayed it. If I am mistaken in the timeline, someone who knows better can correct me.

The question is, would you want to continue having your information exposed to anyone for years to come, including state players? Or a terrorist group, or someone that hides the fact that the data was hacked, so they can have unlimited time to exploit your finances and steal your identity? At least people have the opportunity to cancel their credit cards and change logins. It would have been much much worse at some point..

 

[johnjhacking]

It sounds like you are being scammed.

I don't know how I expected to beat you to this comment lol.