What customers and other registrars should do to protect themselves until we know more.
Domain name registrar Epik was hacked this week, and the hackers published reams of data online.
A group saying it’s aligned with the hacker collective Anonymous posted a release about the hack earlier this week. It says that the reason for the attack is that Epik caters to the far-right and extremist websites. After Epik seemed to waffle on whether there was a hack, the hackers made it public on Epik’s website itself.
The hackers published the data dump online, and security researchers are starting to comb through the data to see what was leaked.
Various sources have confirmed that the data includes registrant details behind many of the domains registered at Epik using Whois privacy. Both The Daily Dot and The Record have spoken with people whose data was released and confirmed that they were the registrants of the corresponding domain names.
A security engineer told The Daily Dot that the data includes the auth codes required to transfer domains to another registrar. It’s unclear if this data is tied to individual domains. This same engineer told The Daily Dot that the data includes WordPress admin passwords that people could use to take over Epik customers’ websites; I’m surprised by this because I wasn’t aware that these passwords were stored in any way that could be tied to a host.
The net-net is that we don’t know the full extent of the damage yet, but it looks bad.
This gets to how both Epik customers and other domain registrars can protect themselves and domain registrants.
At this point, Epik customers should hope for the best but plan for the worst. They should work on the assumption that their passwords have been exposed. If you re-use passwords at other sites (which you shouldn’t), you should change them to something unique. For safety’s sake, Epik customers should also assume that people have what’s needed to initiate a registrar transfer. With this in mind, I recommend domain owners use a system that tracks domain changes. DomainIQ and DomainTools offer trackers for this.
I’ve heard from some people trying to delete their Epik accounts. I don’t think this will help at this point; the data is already leaked.
Registrars should keep their eyes open for unusual transfer-in requests from Epik. I imagine some Epik customers are transferring their domains right now, but registrars should monitor this to ensure they aren’t being stolen.
Brian Faber says
I think people should reset passwords and such, take precautions. It looks like some stuff is leaking on Twitter, not a tech person but this doesn’t look good – https://twitter.com/epikfailsnippet
Rob Monster - Epik.com says
Quick comments here:
– Cybersecurity teams have worked diligently to secure all systems
– The Epik Single-Sign-On is separate and was not impacted
– No unauthorized domain transfers have occurred to our knowledge
– All auth codes have been refreshed … twice!
We have strong reason to believe that this incident was for a remote backup of legacy registrar data that was stored at a well-known and major external host.
We appreciate the outpouring of support from the industry. Although I have declined press interviews, I have been in contact with many customers.
The object lesson is that Cybersecurity is a really big deal. It is our top priority in 2021. We have several significant initiatives already in progress. Stay tuned.
In the meantime, for those who want to show solidarity with Epik, I recommend the $6.99 .com unlimited domain transfer.
Andrew Allemann says
Thanks for the update, Rob. I question why a remote backup of legacy data would have passwords and such, but I’m sure there will be plenty of time to debrief in the future.
Brian Faber says
You’re blaming the Russians now? “In 2011, Epik acquired legacy code developed by Russians. Much of that code was due to be replaced this year.” …….. https://twitter.com/robmonster/status/1438661864431439880
Not a Weak Leader says
Robin Monster said “It could happen to anybody” in regards to the hack. But it didn’t happen to anybody, it happened to you b/c of your immoral soul and the low quality employees you hire. Stop being a weak leader and do press interviews. If you had any stones, you would.
Ethan Taylor says
Speaking of leadership, a good leader is supposed to show professionalism rather than defamation of others. Please understand that describing others’ souls in a defamatory way without proper evidence constitutes personal attack and also goes beyond the limits of free speech.
Scott Ross says
Karma never sleeps.
Michael Scheidell, CCISP says
and are you going to hire actual infosec people? led by a CISO with authority to check, recommend, mitigate BEFORE you get hacked again?
What about people who are trying to transfer out before the hackers do? why are you blocking them?
Every time I see these crazed left wing cult members attack innocent people either physically, which they do on a regular basis, or illegally attack innocent people to try to intimidate them and remove them from the internet because of their opinions I think, Wait a second, who are the fascists? I hope one day they realize who the fascists really are. Something tells me they don’t have the intellect for introspection. “Lulz”
Get cucked says
Outraged that fascists write, have any of you by chance lived in a Fascist Military Dictatorship 30 years of life?
I never whisk hay you what my grandparents (Rip) parents (Rip) and myself went through with fascism totally autoritarian
John R. says
In the same breath that MONSTER says he was hacked, he also says “come over to Epik for $6.99” HOW STUPID DOES HE THINK DOMAINERS ARE?!
Stupid is when people place there on opinions and ego above facts.
Billion dollar Corporations for decades have lost millions of records with SS numbers, names, addresses, DOB etc things that can’t be changed or repaired, but a Registrar gets hacked and is the end of the World.
For sure if this did happen to GoDaddy or another Registrar you wouldn’t read it with all this negative intend.
People have been using for month 6.99 fee and was available before the hack, to change a password on accounts is no big deal, so what’s all this fuzz.
Best customer support, have 2500 names and not moving 1 btw I moved 500 before Sept 1st.
Customers that work with Epik know better.
For sure when Amex lost all the data of millions people cancelled there cards.
Research it says
Is it stupid when people who work for Epik write comments that their domains are safe with Epik? How sad is it that your Anonymize Whois is public from the hack and the public can confirm you work for Epik?
I am one of those stupid that have moved 500 before the hack and will continue moving.
My 2500 names have never been more secured, names have been stolen from many Registrars including GoDaddy and people never moved there names,
btw have 1500 names at GD and feel very secure too.
Brian Faber says
So you feel “very secure” on a site built on shitty Russian code for the last 10 years? Let me quote Rob:
Let me quote Rob:
“Yes, shitty Russian code. We bought some shitty Russian code and we actually didn’t really have an opportunity to evaluate that code until we finished, until we really took control over everything.”
Research it says
Brian research it: https://domainnamewire.com/2021/09/16/epik-hack-what-we-know-what-you-should-do/#comment-2266366
It’s funny Epik sends an email so that I be careful with the credit card to use with them, the bank has blocked it and now I receive an email from Epik that tomorrow two domains expire, they expire.