NameSilo

Epik May Have Had A Major Breach

Labeled as alert in Warnings and Alerts, started by Silentptnr, Sep 14, 2021 at 6:17 PM

Replies:
446
Views:
23,491

  1. Mister Funsky

    Mister Funsky Top Contributor VIP

    Posts:
    5,560
    Likes Received:
    21,381
    Well, it is clear something happened and I'm sure we will know shortly if it was anything significant...as of now, everything is operating as usual.

    Now would be a time to change PIN and password, just in case the fruitcakes were able to get some of that information.

    This type of event is just part of existing in a digital world...hacks, attempted hacks and system overloads are part of daily business. I'm sure Epik will take the appropriate steps.

    The 'story' will come out eventually as to what happened and if any damage occurred. I will continue to operate as usual buying and selling on Epik.
     
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. eternaldomains

    eternaldomains Established Member

    Posts:
    441
    Likes Received:
    229
    So, isn't this like, FederatedIdentity.com is the 3rd party, and then Epik.com stores pw in plaintext so that FederatedIdentity.com can authenticate it? And if that's the case, aren't all those Google+FB logins on unrelated websites extremely dangerous?
     
  3. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    11,712
    Likes Received:
    10,376
    What are real roots (motivation) of these attacks?
    Competitors, discrimination, Trumpism etc. or what?
    Epik must consider it firstly.
     
  4. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,058
    Likes Received:
    3,499
    Yes, and there's going to be no shortage of people pointing it out. So far, I've only looked at the data for Anonymize; it's possible that passwords for other services are using something better.

    That being said, all hashing is just designed to buy time. Even if they were using bcrypt or argon2, the passwords would get out eventually. People should be changing their passwords regardless.

    The biggest challenge for them in the near-term is going to be locking everything down. Again, I've only glanced at the data, but they appear to have a massive attack surface with a lot of moving parts. I suspect there's no shortage of holes, and there are going to be quite a few people combing through the dataset looking for additional vulnerabilities.

    To give you an example, NamePros processes payments through Stripe. In order to authenticate with Stripe, a third-party service, NamePros needs to store a password in plaintext--not your password, just a password, one provided to use by Stripe. There's no way around that.

    I don't know what the plaintext passwords I saw were intended to be used for, but there weren't many of them. The user accounts were using MD5 (which might as well be plaintext).

    Nobody is going to know until it lands in court. It's also by far the least important aspect of their immediate response, since their priorities should be securing their infrastructure and notifying affected parties.
     
    Last edited: Sep 15, 2021 at 1:38 PM
  5. LOLed

    LOLed Established Member

    Posts:
    246
    Likes Received:
    665
    What else do you suggest for password encryption, if not MD5 with salt? Isn't it impossible to decrypt if they use a random and strong key?

    Edited
     
    Last edited: Sep 15, 2021 at 1:33 PM
  6. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    11,712
    Likes Received:
    10,376
    Then why superbuggy Dynadot is not hacked???
     
  7. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,058
    Likes Received:
    3,499
    Salted MD5 is not and will never be sufficient. It's entirely possible to crack. (Edit: The passwords I've seen so far in the breach did not appear to be salted anyway.)

    Don't try to roll your own crypto. If you're working with PHP, use password_hash and password_verify--as of writing, those will use bcrypt or argon2, both of which are acceptable. If you're working with a different technology, consult the industry best practices. Do not try to come up with your own scheme.
     
    Last edited: Sep 15, 2021 at 1:36 PM
  8. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,058
    Likes Received:
    3,499
    Buggy doesn't necessarily mean insecure. All websites get hacked eventually, though.
     
  9. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    11,712
    Likes Received:
    10,376
    Dynadot is not even 10% of the traditional hype around Epik...
    That's why they live without such adventures.
     
  10. eternaldomains

    eternaldomains Established Member

    Posts:
    441
    Likes Received:
    229
    No reason for hack. No politics, no price hold. Lack of CEO presence. Almost like a normal nobody in people's eyes if you ask me.
     
  11. johnn

    johnn WeSellName.com PRO VIP ★★★★★★★★★★

    Posts:
    17,608
    Likes Received:
    7,742
    There is a big difference between hacking and ddos attack.
     
  12. Windoms

    Windoms Top Contributor VIP

    Posts:
    982
    Likes Received:
    1,681
    "Map out a decade of online fash with a level of clarity nobody has been able to until now."
    "This dataset is all that's needed to trace actual ownership and management of the fascist side of the internet that has eluded researchers, activists, and well, just about everybody. And maybe have a little extra fun. For the lulz."
    E_MWYxqVUAExCWZ.jpeg.jpg

    Some people are in very hot water.
     
  13. eternaldomains

    eternaldomains Established Member

    Posts:
    441
    Likes Received:
    229
    More bad news coming, just got a newly regged name 'sold' on SH wholesale market and now buyer wants auth code. Goddammit. I even priced it higher than usual thinking it might not be sold and now this happens. What the hell am I gonna do?
     
  14. Digital Kush

    Digital Kush Restricted (15-30%)

    Posts:
    877
    Likes Received:
    78
    This is really hectic 😨
    Can we have best registrars to keep our Domains safe. For crypto we have nano ledger etc. or keep private keys...
    Any best solution for keeping Domains safe?
     
    Last edited: Sep 15, 2021 at 1:53 PM
  15. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    11,712
    Likes Received:
    10,376
    Last edited: Sep 15, 2021 at 2:15 PM
  16. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    11,712
    Likes Received:
    10,376
    MarkMonitor.
     
    Last edited: Sep 15, 2021 at 2:20 PM
  17. jhm

    jhm Glazed

    Posts:
    2,991
    Likes Received:
    3,997
    When certain hackers are all about freedom / anti-establishment, I can ride along with that to some degree. The compromising of people, putting their stuff at risk, invading privacy ...not so much
     
    Last edited: Sep 15, 2021 at 5:24 PM
  18. cbd

    cbd Top Contributor VIP Gold Account

    Posts:
    2,274
    Likes Received:
    1,045
    Personally, I'm going to de-list my ~10 domains that are transfer-locked at Epik until I have the ability to move them out. Sadly I transferred them there recently to save a buck.
     
  19. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,058
    Likes Received:
    3,499
    Everyone gets hacked eventually, and MarkMonitor is no exception. Their situation wasn't as bad as Epik's appears to be, but it was still a blunder.

    We're just going to see more and more of these issues as time goes on.
     
    Last edited: Sep 15, 2021 at 2:22 PM
  20. Jurgen Wolf

    Jurgen Wolf Top Contributor VIP ★★★★★★★★★★

    Posts:
    11,712
    Likes Received:
    10,376
    Last edited: Sep 15, 2021 at 2:34 PM
  21. eternaldomains

    eternaldomains Established Member

    Posts:
    441
    Likes Received:
    229
    Wow, and this news is this month. To think someone had a chance to use coinbase to phish for bitcoins, or google to mess with everything.... ridiculous.
     
  22. br1ll1on

    br1ll1on Established Member

    Posts:
    160
    Likes Received:
    179
    you're right but nothing is more disappointing and annoying than their silence, this is where you alert your users and ensure they take measures to avoid further damages like losing their domains (I'm pretty sure not everyone using epik knows about this yet)
     
  23. Silentptnr

    Silentptnr David George VIP

    Posts:
    16,678
    Likes Received:
    48,107
     
  24. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,058
    Likes Received:
    3,499
    Given a large enough attack surface and a sufficient supply of nefarious individuals, someone somewhere will eventually find a reason to hack anything. Let the courts get to the bottom of that; there's no point in speculating.

    Otherwise, this is just going to turn into an unproductive flame war with one side claiming Epik had it coming and the other claiming it's a false flag operation, with both sides offering no evidence beyond a hunch.

    There appears to be a lot of data here, and it's going to take researchers quite a while to get through it all, myself included. All that's known thus far is that you should change your passwords. I know everyone is eager to point fingers, but we just don't have the information we need to come to educated conclusions yet.

    Perhaps, but right now they're probably stuck trying to lock everything down and figure out what happened. Most sites can be taken offline during incident response; registrars don't really have that luxury. I'm sure there are plenty of frustrated people running on nothing but caffeine and anxiety right now.

    Let's all learn from this: plan for breaches now; don't improvise as you go. Every website gets hacked. If you run a website and haven't already planned for that inevitability, now is the time to start so you're not fumbling in-the-moment.
     
  25. Lox

    Lox _____ VIP

    Posts:
    3,706
    Likes Received:
    6,657

Want to reply or ask your own question?

It only takes a minute to sign up – and it's free!
Topics / Tags:
NameWorth
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...