Credit card exposure from breach could have a major impact on customers.
I’ve been writing a lot about the Epik security breach, and you can expect to hear a lot more in the coming weeks as more details come out.
Yesterday, I published an email from Epik stating that it might be worth taking precautionary measures with credit card data. If you’ve ever bought anything online, this isn’t the end of the world. Numbers get stolen all of the time, even from the biggest retailers. But in Epik’s case, it appears that the company was storing CVV codes as well, which is a big no-no. These are the three and four-digit codes that are usually on the back of the card that are used for verification. Merchants are supposed to only use it for authorization and not store the number.
The other big news is that a bunch of scraped Whois records of non-customers were included in the breach. I have a couple of thoughts about this.
First, you should understand the history of Epik. The company entered the domain registrar business with the acquisition of Intrust Domains in 2011. Intrust was notorious for spamming people to sell them expiring domains. And, although Epik told me at the time that it didn’t acquire the email marketing part of Intrust, Epik itself was known for trying to sell domains via unsolicited email. (In a public video chat about the hack, Epik CEO Rob Monster confirmed that the early code base it acquired from Intrust was built on “shitty Russian code”, and that some of it is still in production.)
So it’s no surprise that the company has lots of Whois data. In fact, I wonder if it has a lot more than what was breached. Last year, Epik’s VP of Communications threatened people who were saying bad things about Epik by writing, “I am one of few individuals on this planet with the capacity to email 300 million people in fifteen seconds, with a full media agency and PR firm behind me.” I have no idea where that email data he referred to comes from and where it is stored.
Is the exposed Whois data a big deal? Yes and no. On the one hand, all of this data was public and probably scraped by plenty of spammers. On the other hand, this data can easily be used to spam people now. And certainly, people are going to be upset that their data was re-exposed by a company they’ve never heard of, so it’s going to be another large headache for the domain registrar as it works through recovering from the hack.
Blah, credit card data this, whois data that.. The main thing is that the domains remain safe!
Uhhh, you get that there were not stolen domains ONLY because the hackers didn’t care about them right? If the hackers wanted them, they had access to everything they needed AND MORE to steal every domain Epik has. “Domains remain safe” is a fallacy and those with it will learn the hard way eventually because there’s just no securing that jigsaw puzzle called Epik.
If you look up “Monster Fail” in Google, a picture of Rob pops up 😀
You got me HA
From the post:
Last year, Epik’s VP of Communications threatened people who were saying bad things about Epik by writing, “I am one of few individuals on this planet with the capacity to email 300 million people in fifteen seconds, with a full media agency and PR firm behind me.”
Epik likely got ahold of 300 million emails from the very hacker sites in which their customers data is now published on.
Karma.
Read this :
https://apple.news/AGNIVlOSER8CnxzX99qTzBg
CVV Data, it’s really a serious issue.
Wow, Epik always looked like such a professionally run operation, who could have guessed they were storing people’s credit cards and passwords in plain text?
Guess Rob and co were too busy defending themselves in the comments here every week to do basic things like hash passwords and be PCI compliant.
Does anyone know how to open the Epik Fail 16GB whois.sql? I tried a bunch of apps but the file is too big to read/write. Please help