alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Evil.dll]

The bugcrowd thing is cool, but this thing could have been averted or at least marginally delayed if people would have listened to the Vulns that were presented. No amount of duct tape will salvage that Zend shanty.

 

[Evil.dll]

And brand loyalty is cool, but it means nothing when the brand you are defending is throwing you under the bus and you just keep on dusting yourself off and deflecting blame. People on this thread keep repeating the mantra about how the researchers and security professionals don’t know the complex world of domains, which is a dangerous assumption to make when they clearly know enough to point domains to hugs for cats and exploit shitty mastodon forks in little to know time, but alas “Never correct your enemy while they are making an error”

 

[Evil.dll]

See how far the “But the hackers” mindset gets you. The people making this argument are NOT the law enforcement that will comb through this data and they definitely do not have any idea of the way in which this breach will be prosecuted so they should just sit back and keep their commentary locked far away in their narrow minds.

 

[Evil.dll]

I just want to let you know how I’m feeling, We know the game and we’re gonna play it.

 

[Future Sensors]

All technical talk aside. At this point, with so much data leaked in several batches, I think social engineering has become a serious problem for employees that must be guarded against. (This should be best practice already.) Not only the data of customers, but at least as much data of administrators, employees and ambassadors has been published - metadata, administrator IP addresses, and probably a lot more than I can even think of.

 

[Evil.dll]

And stop taking pictures of your server racks with petabytes of storage claiming that is #bigdata it only serves to further show a clear misunderstanding of the situation and allows people’s to know what you are packing. Cool, for less than 15 grand you can pick up some used thunderbay 8s and call yourself #Bigndata, but that does not secure anything if you don’t know WTF you are doing.

 

[Future Sensors]

@Evil.dll Lower your blood pressure and use less salt.

 

[Evil.dll]

I have seen yottabytes of storage on 34.82 acres of land with 1.5 million square feet of sensitive data that has yet to be breached and I am under no delusion that means it is completely secure.

 

[Evil.dll]

@Evil.dll Lower your blood pressure and use less salt.

Or just go salt free, because apparently that is “The way”

 

[Future Sensors]

I wonder who is going to use MaxMind now that their risk score factors were exposed in plaintext

Not all readers know what this actually means, as this used to be not a security forum.

@Jona4s is referring to the following service:

https://www.maxmind.com/en/solutions/minfraud-services

minFraud Web Services
minFraud is a data return service that helps businesses prevent online fraud by providing risk scoring and risk data related to online transactions. Learn more about whether the minFraud service is right for your organization.​

 

[Future Sensors]

https://twitter.com/x/status/1451265794965336084

Epik is also mentioned in the article referenced in the tweet:

"The group behind the leak was Distributed Denial of Secrets, a collective of journalists and transparency advocates. Founded in 2018 by journalist Emma Best and an anonymous partner known as The Architect, DDoSecrets has quietly been one of the most effective organizations at bringing information powerful organizations want to keep hidden into the light. Since the BlueLeaks drop last June, DDoSecrets has published more juicy contraband, including videos, photos, posts, and direct messages scraped from far-right social media sites Gab and Parler in the wake of the Jan. 6 insurrection attempt. In the last few weeks, the organization has hosted a mirror of data from Epik, an internet services company that has been utilized by far-right and white supremacist groups, and has published emails, chat logs, and member and donor lists from the Oath Keepers, a far-right militia group involved in the Jan. 6 insurrection attempt."

"The hackers who claim to be behind the release of data from far-right web host Epik identify themselves with the name Hackers on Estradiol, a reference to a hormone therapy utilized by trans women."​

 

[Future Sensors]

This tweet shows pretty well how the C-suite often reacts to security incidents.

Mr. Jake Williams is CTO @breachquest and @renditionsec. GSE #150. "I do adversary emulation, IR, and malware." @hacknotcrime | @TribeOfHackers contributor.

https://twitter.com/x/status/1451911468862091275

 

[Future Sensors]

I wonder who is going to use MaxMind now that their risk score factors were exposed in plaintext

This stored data could actually help a lot during investigations, as the MaxMind minFraud system takes a lot of variables into account. Having a look at the indicators combined with the orders is a goldmine for LEA and will help them to better focus on a certain group of customers, while excluding others.

 

[Future Sensors]

You may be king rich of domain speculation, but that means nothing in my world.

This still keeps me thinking, because it didn't come with the recommended grain of salt.

Yes I know I'm an emo guy

 

[Jona4s]

The irony is that he is extorting businesses to pay a +10000% price for what costs $7.

But has the moral to call security professionals criminals.

 

[Evil.dll]

This still keeps me thinking, because it didn't come with the recommended grain of salt.

Yes I know I'm an emo guy

That salt was thrown over the shoulder onto a blossoming field of passwords and credit card info. It was a large and supple handful.

 

[Evil.dll]

I will argue hackers are immune to patches submitted via bug bounty programs.

It discourages script kiddies and botnet scanners hammering an origin, but application-level vulnerabilities are rarely the cause of an entire system being rooted, as it was with Epik.

As jonh said, it is a matter of competent engineers and security experts.

Btw, thanks Rob for offering me a bounty, which I won't take. Unless you start taking security seriously by announcing you have rebuild your entire codebase, and are not relying on "remote PHP developers" to power Epik, I honestly think you are doomed.


Kirt gave you an honest advise, listen to the part "rebuild". A broken technology is a broken technology, no patch and no team will fix it.

This stuff means Epik is persisting in using remote PHP devs, Zend cannot be patched, but well time will tell if your technical debt is really irreversible.

https://twitter.com/x/status/1451501873991651331

PHP, Wordpress, alright. That's not how you play the game, that's why you are losing.

Zend is lit.

 

[Future Sensors]

The problems of using too little salt are well known by now. A common problem with too much salt is that the salt itself will become the problem. For example, if you have a small piece of land with a vulnerable crop, salt can get in the way of a continuous exchange of new insights and ideas. The correct dosage is important. I like the blossom analogy, not the boutique one.

 

[Future Sensors]

The periodic poll for forum members' favorite domain registrar is up and running again in another thread. Epik still scores high in the provisional standings, but slightly less than in the previous poll. There remains a loyal following, as is the case with a number of other favorite registrars among domainers. In terms of the number of domains under management (DUM), the CEO of Epik has indicated that more domains have been added since the data breach. Others argue that Epik has never lost 1 domain. I personally think the daily threads on this forum provide much more detailed insight into the quality of a registrar, it is extremely difficult to properly grasp the sentiment based on a periodic poll for several reasons, but we can agree that the outcome is important because it can be used in marketing.

https://en.wikipedia.org/wiki/Jelle's_Marble_Runs

 

[SirDrago]

That salt was thrown over the shoulder onto a blossoming field of passwords and credit card info. It was a large and supple handful.