news Was there a Hack/Data Breach at Epik?

[mr-x]

Enable 2 factor logins. Don't reuse passwords. Use a password manager.

Keepass is free and open source, works on windows, ios and linux.

 

[JennBlogger]

Enable 2 factor logins. Don't reuse passwords. Use a password manager.

Keepass is free and open source, works on windows, ios and linux.

So basically, you're saying Epik should do away with it's single sign on platform. I agree.

 

[amplify]

So basically, you're saying Epik should do away with it's single sign on platform. I agree.

Federated Identify uses 2FA, which I have enabled. Maybe you didn't know that though.

From quoting:

Enable 2 factor logins.

 

[JennBlogger]

Federated Identify uses 2FA, which I have enabled. Maybe you didn't know that though.

From quoting:

I just logged in without 2FA, just like anybody else could. You should never have the same password for multiple sites. Maybe you didn't know that.

 

[amplify]

I just logged in without 2FA, just like anybody else could. You should never have the same password for multiple sites. Maybe you didn't know that.

Did you set up 2FA? It's not automatic.

 

[JennBlogger]

Did you set up 2FA? It's not automatic.

That's my point.

 

[amplify]

That's my point.

Is 2FA automatic on Google? Why would you enable anything as being automatic on any platform?

2FA will always require manual configuration so that the user, you, can have a backup phrase or QR code to store. If this were done automatically, it would mean that every provider would have to store this code, defeating the purpose of 2FA as a second password.

I don't get your point from a technical or logical standpoint.

 

[mr-x]

That's my point.

It's not automatic at any registrar that I know of. Nor anywhere else.

 

[aleksey.k]

Enable 2 factor logins. Don't reuse passwords. Use a password manager.

Keepass is free and open source, works on windows, ios and linux.

That's the solid advice, however, it's way too much for normies/boomers. Imagine a grandpa from a backwater running his PHP web forum "CornFarmersAndMormonsOfIdaho.biz". Using Linux alone will probably cause a brain death

 

[mr-x]

That's the solid advice, however, it's way too much for normies/boomers. Imagine a grandpa from a backwater running his PHP web forum "CornFarmersAndMormonsOfIdaho.biz". Using Linux alone will probably cause a brain death

I use centos on my server and linux mint on my laptop and desktop.

Don't underestimate farmers. They are resourceful, can fix almost anything with almost nothing, know veterinary medicine, botany, are conservationist and race tractors on the weekend.

 

[aleksey.k]

I use centos on my server and linux mint on my laptop and desktop.

Don't underestimate farmers. They are resourceful, can fix almost anything with almost nothing, know veterinary medicine, botany, are conservationist and race tractors on the weekend.

Spoiler: Off-topic

Sure, no disrespect, that's a joke. In fact, I admire rural states like Iowa, Arizona, Utah. Too bad it's hard to visit the US now.
Plus, their conservative Christian non-urbanistic worldview aligns perfectly with mine.

 

[Tom K.]

I just logged in without 2FA, just like anybody else could. You should never have the same password for multiple sites. Maybe you didn't know that.

Yep. I have different logins for different accounts. When I set up the accounts at the 4 registrars (namecheap, dynadot, direcnic, and epik) to either facilitate an account push or check out their interfaces, I unfortunately used the same login to save time. My bad. Fortunately the loss was not significant and I never submitted any payment info.

 

[DomainsGENERAL.com]

Thanks, and sorry for your loss.

You're very nice.

Now, think about it for one second: Most of us are domainers, here. We pretty much all know the registrant gets an email when there is a transfer, with a wait period if you don't expressly validate the transfer with the link from the email. You can't change the registrant email without a confirmation of a link sent to the previous email either.

Even if you do what naive people did 20 years ago: Using the same login AND password for different websites, not setting up 2FA, nor an email notification when there is a login, you probably would still have to be a liar with no honesty whatsoever to make up such a story... Not with 1 registrar, not with 2, but with 3 different ones. (On top of this, the hack was very public, with all this implies. You would have had to not react when you knew very well your situation. Even then it's hardly possible).

Please.
I'll believe to Santa, the Easter Bunny and the Tooth fairy -All 3- before I believe this story

Or am I totally wrong and you can transfer without an email validation when it's a push?

 

[mr-x]

So basically, you're saying Epik should do away with it's single sign on platform. I agree.

Not what I said at all. I think that is a terrible idea.

 

[404]

You're very nice.

Now, think about it for one second: Most of us are domainers, here. We pretty much all know the registrant gets an email when there is a transfer, with a wait period if you don't expressly validate the transfer with the link from the email. You can't change the registrant email without a confirmation of a link sent to the previous email either.

Even if you do what naive people did 20 years ago: Using the same login AND password for different websites, not setting up 2FA, nor an email notification when there is a login, you probably would still have to be a liar with no honesty whatsoever to make up such a story... Not with 1 registrar, not with 2, but with 3 different ones. (On top of this, the hack was very public, with all this implies. You would have had to not react when you knew very well your situation. Even then it's hardly possible).

Please.
I'll believe to Santa, the Easter Bunny and the Tooth fairy -All 3- before I believe this story

Or am I totally wrong and you can transfer without an email validation when it's a push?

It would probably have been a good idea to use different credentials on each registrar + 2fa. May not have helped much as Epik was also storing failed logins in plaintext, credentials you may have mixed up with other registrars. That doesn't make him a liar. He stated it just might have been because of the hack. Not stating it is a fact, giving room for it to be coincidence.

Now we got that straight...

It's totally possible to hack and transfer/push domains without getting a confirmation using the dataset leaked. It's surprisingly easy actually.

 

[Tom K.]

Or am I totally wrong and you can transfer without an email validation when it's a push?

In my experience, if it is a domain push from the outgoing account then it is accepted by the incoming account. Yes, email notifications are generally sent out but they do not require confirmation via email. This may vary depending on registrar. You can also change the registrant email if you have access to that account. Emails can also end up in spam. If you upgrade your computer, you have different email addresses, etc., different factors can play a roll in a fail if only one notification is sent. All these factors were in my case as I was doing major upgrades to hardware and hosting.

 

[mr-x]

In my experience, if it is a domain push from the outgoing account then it is accepted by the incoming account. Yes, email notifications are generally sent out but they do not require confirmation via email. This may vary depending on registrar. You can also change the registrant email if you have access to that account. Emails can also end up in spam. If you upgrade your computer, you have different email addresses, etc., different factors can play a roll in a fail if only one notification is sent. All these factors were in my case as I was doing major upgrades to hardware and hosting.

Every registrar I have used sent an email to both current owner and recipient.

I don't think you are lying but I'm fairly confident email was sent on an account change.

 

[Tom K.]

Every registrar I have used sent an email to both current owner and recipient.

I don't think you are lying but I'm fairly confident email was sent on an account change.

With an account change, there is an email sent. But the incoming account can simply accept the change via control panel. An email is sent to the outgoing registrant that the domain has been removed from their account. And again, emails can be manipulated if the outgoing account has been breached.

 

[Tom K.]

As I stated earlier, I cannot with certainty make a direct line between the hack and the loss of domains. Some of these registrars have very poorly designed notification emails. The timing may just be a coincidence. I am not going to make a big deal out of this since the domains were not as important as the ones at my primary registrar. No financial info was posted so none hacked. Got bigger fish to fry. When I get some time to kill I may do a forensic review. Take it as you will. Change your logins.

 

[DomainsGENERAL.com]

Epik was also storing failed logins in plaintext

I agree this wasn't good (among other things).
If you entered some wrong login info, which happens, yes, you may have given out some other logins that way.

Link to the hack or not isn't necessarily the question (of course it seems to be the goal here, to make it appear as it caused him some troubles and losses. Maybe also play a little the victim, IDK). For a change of email of the registrant and for a transfert out (Auth code), I'm confident it isn't possible without controlling the current email address of the registrant (or you would have to contact the registrar to change the email because you lost the previous one. They would check a little you're you. Especially with the Epik hack being widely known). Transferring out isn't possible at least without first letting expire the wait period for external transfers (and there are notifications by email. There are some ICANN requirements here, if I'm not mistaken).

I do now have a doubt about internal pushes. Maybe they can be done immediately without controlling the email address of the registrant. I don't remember for sure and i don't want to test a transfer now just to get the answer. I'll see next time I do have some to do.

Or for the story to make sense, it would have to be some inside jobs from the 3 registrars. Logically, anybody would ask questions to them about why the domains aren't in the account anymore while you didn't receive any notifications. Or it is time to worry about your email accounts being compromised, which is dangerous (and this shouldn't come from the Epik hack).