Credit card exposure from breach could have a major impact on customers.
I’ve been writing a lot about the Epik security breach, and you can expect to hear a lot more in the coming weeks as more details come out.
Yesterday, I published an email from Epik stating that it might be worth taking precautionary measures with credit card data. If you’ve ever bought anything online, this isn’t the end of the world. Numbers get stolen all of the time, even from the biggest retailers. But in Epik’s case, it appears that the company was storing CVV codes as well, which is a big no-no. These are the three and four-digit codes that are usually on the back of the card that are used for verification. Merchants are supposed to only use it for authorization and not store the number.
The other big news is that a bunch of scraped Whois records of non-customers were included in the breach. I have a couple of thoughts about this.
First, you should understand the history of Epik. The company entered the domain registrar business with the acquisition of Intrust Domains in 2011. Intrust was notorious for spamming people to sell them expiring domains. And, although Epik told me at the time that it didn’t acquire the email marketing part of Intrust, Epik itself was known for trying to sell domains via unsolicited email. (In a public video chat about the hack, Epik CEO Rob Monster confirmed that the early code base it acquired from Intrust was built on “shitty Russian code”, and that some of it is still in production.)
So it’s no surprise that the company has lots of Whois data. In fact, I wonder if it has a lot more than what was breached. Last year, Epik’s VP of Communications threatened people who were saying bad things about Epik by writing, “I am one of few individuals on this planet with the capacity to email 300 million people in fifteen seconds, with a full media agency and PR firm behind me.” I have no idea where that email data he referred to comes from and where it is stored.
Is the exposed Whois data a big deal? Yes and no. On the one hand, all of this data was public and probably scraped by plenty of spammers. On the other hand, this data can easily be used to spam people now. And certainly, people are going to be upset that their data was re-exposed by a company they’ve never heard of, so it’s going to be another large headache for the domain registrar as it works through recovering from the hack.