news Was there a Hack/Data Breach at Epik?

[DomainsGENERAL.com]

... + 2fa. May not have helped much as ...

2FA does help with a lot of situations. It would have in the one your describe.
It is great to secure accounts. Everybody caring about theirs should use 2FA, IMHO (whatever the account).

 

[404]

I agree this wasn't good (among other things).
If you entered some wrong login info, which happens, yes, you may have given out some other logins that way.

Link to the hack or not isn't necessarily the question (of course it seems to be the goal here, to make it appear as it caused him some troubles and losses. Maybe also play a little the victim, IDK). For a change of email of the registrant and for a transfert out (Auth code), I'm confident it isn't possible without controlling the current email address of the registrant (or you would have to contact the registrar to change the email because you lost the previous one. They would check a little you're you. Especially with the Epik hack being widely known). Transferring out isn't possible at least without first letting expire the wait period for external transfers (and there are notifications by email. There are some ICANN requirements here, if I'm not mistaken).

I do now have a doubt about internal pushes. Maybe they can be done immediately without controlling the email address of the registrant. I don't remember for sure and i don't want to test a transfer now just to get the answer. I'll see next time I do have some to do.

Or for the story to make sense, it would have to be some inside jobs from the 3 registrars. Logically, anybody would ask questions to them about why the domains aren't in the account anymore while you didn't receive any notifications. Or it is time to worry about your email accounts being compromised, which is dangerous (and this shouldn't come from the Epik hack).

For security reasons I'm not gonna go into the how to do it but once you have full access it's definitely possible. At some registrars it's easier than others, at some you'll need to add some basic social engineering to the mix. No access to email needed although with access it does make things much more simple.

Easiest target is GoDaddy.

That being said, yes 2fa solves most of your troubles, as does using a registrar who will notify you upon any login/login attempt.

Point being, it's not far fetched for someone with even a moderately valuable portfolio to worry about getting targeted.

In conclusion, Tom may be right, he may be wrong. He's unsure about it himself. Not really anything there to justify calling him a liar.

 

[Steff]

Has anyone downloaded any part of the data dump from the Epik hack? It seems to be pretty complete. I haven't, so can't personally confirm but it is reported to include logins, financial info, whois, even a digital image of the entire server. Has this been confirmed or denied? In either case, what assurances have been given that data is now secure? I mean, other than "we're working on it."

 

[aleksey.k]

Has anyone downloaded any part of the data dump from the Epik hack? It seems to be pretty complete. I haven't, so can't personally confirm but it is reported to include logins, financial info, whois, even a digital image of the entire server. Has this been confirmed or denied? In either case, what assurances have been given that data is now secure? I mean, other than "we're working on it."

Twitter trannies have gone silent so it seems that except for several notable cases of deanonymization nothing interest was found.

I'm keking really hard on the "whois" part since it's public info

 

[base]

I do now have a doubt about internal pushes. Maybe they can be done immediately without controlling the email address of the registrant. I don't remember for sure and i don't want to test a transfer now just to get the answer. I'll see next time I do have some to do.

For domain account transfers, "pushes", within the same registrar there is no email involvement. As long as you are in your account and the registrar has the push option, it's really just as simple as that. Account A pushes to Account B.

Some registrars send a courtesy notice email sent to the parties involved after the fact, but that's about it. Though it should be standard practice in my opinion to let the account holders immediately know of any domain ownership changes.

 

[404]

For domain account transfers, "pushes", within the same registrar there is no email involvement. As long as you are in your account and the registrar has the push option, it's really just as simple as that. Account A pushes to Account B.

Some registrars send a courtesy notice email sent to the parties involved after the fact, but that's about it. Though it should be standard practice in my opinion to let the account holders immediately know of any domain ownership changes.

Epik sends an email and requires both the losing and gaining account to login and approve the push. Pretty nice system actually.

 

[DomainsGENERAL.com]

Not really anything there to justify calling him a liar.

Let's agree transferring internally domains (push) may be possible without controlling (initially) the registrant email address. I guess it would be usually nottoo easy (I don't think very highly of GoDaddy). This story seems unlikely to me in term of probabilities. Especially for it to happen with 3 different registrars. No mention of a complaint to the registrars, nothing (no mention of the names stolen for people to look out for their resale either). And there is probably a bias from my part related to a previous story he was involved in. Anyway, this is solely my own opinion. I can definitely be totally wrong. If I had to bet, I would personally bet the alleged story (as it is described) is mostly fake. Again: I can very well be wrong. Only my assessment. - I do respect your view.

@base I am asking myself if it depends of the registrar? It's crazy because I have done quite some pushes recently and I'm incapable of correctly remembering the email validation part (or lack thereof). I believe some (most?) did ask for a validation by email. But I may be mistaken, or confusing it with some external transfers (Auth codes). I will try to better look at what is needed during the next ones. I encourage you and others to do the same.

I believe I've seen some recent discussion here about the lock of the domain after a push. Some people were (understandably) not very happy about it. But for this kind of situation, it does give the opportunity to the victim who got his domain stolen to complain to the registrar during the lock period (the domain can't get out during that time).

I don't know how frequent domain "stealing" actually happens. I know we hear sometimes about it (maybe more on the people warning about it or selling a product against it, than actual cases?), but a domain can be tracked easily. It seems difficult for the person who get it to do much with it. The victim should just inform the authorities. Stealing is still illegal, whatever is stolen. It seems a little difficult to get away with it, in the end (and to use the domain).

But it may be interesting to study how feasible it would be registrar by registrar. If there is no specific rules for pushes, where can a domain be pushed and transferred out immediately, without any registrant email validation, and where is it impossible (because of email validation and /or lock period). Maybe there is a case of more or less secure registrar in that regard (having your domains potentially stolen). Or has this already been done?

 

[DomainsGENERAL.com]

account to login and approve

Sure, but if the login info is enough, it doesn't really secure things. The key is to need something transmitted by email. This is some form of "2FA": To check if the person does control the email address associated with the domain. I believe most registrars do this (not sure about it right now, though), even if it doesn't necessarily seem obvious when you do it. Please look carefully next time you do pushes

 

[404]

- I do respect your view.

Same

Maybe there is a case of more or less secure registrar in that regard (having your domains potentially stolen). Or has this already been done?

Maybe @bhartzer can comment on that.

 

[404]

Sure, but if the login info is enough, it doesn't really secure things. The key is to need something transmitted by email. This is some form of "2FA": To check if the person does control the email address associated with the domain. I believe most registrars do this (not sure about it right now, though), even if it doesn't necessarily seem obvious when you do it. Please look carefully next time you do pushes

Yes,it will be an interesting study. From memory and by checking my mail archives most registrars I use tend to send an update/mail once a domain is transferred/pushed.

Just getting in and push/transfer someone's domain will usually alert the owner if no additional measures to prevent this are taken.

 

[DomainsGENERAL.com]

update/mail once a domain is transferred/pushed

Yes, I'm confident this usually happens. But this is AFTER :/ The question is about "before". Needing to be able to receive these emails to validate the transfer (I'm pretty sure it is the case with Auth codes! But I'm unsure about pushes. Or maybe it really depends of the registrar. For once I cleaned up my emails, so I can't look at this.)

 

[404]

Stealing is still illegal, whatever is stolen. It seems a little difficult to get away with it, in the end (and to use the domain).

I guess the hardest part is to prove it was stolen. If a push/transfer was initiated using your credentials and approved using your credentials that's going to be tough.

Fortunately I never had to deal with an issue like that

 

[Tom K.]

Domains have been stolen before even without a data breach or a hack. Not sure how that happens if there are email notifications. Perhaps spoof pages?

According to the article below, timestamps on the files leaked indicate the Epik hack occurred as far back as February. "TechCrunch has since learned that Epik was warned of a critical security flaw weeks before its breach." Also, “You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.

We are debating email notifications and 2FA. However, there is still a lot we don't know because Epik is not forthright. There is talk about such and such measure being taken, an amazing security person or team working hard, or whatever. But we still don't know if the same code with the same security flaws is still being used. I had sites hacked, and its a huge pain. Can't imagine the scope for a registrar.

Web host Epik was warned of a critical security flaw weeks before it was hacked | TechCrunch

Hackers claim to have dumped gigabytes of data from the web host's servers.

techcrunch.com

 

[DomainsGENERAL.com]

guess the hardest part is to prove it was stolen

Yes and no. There is already what you say. Usually, this does have some value, even if far from bulletproof (some people do lie, indeed). Then there is the IP logged from, all the details about the browser/system used, the details about the account which received the domain, etc. Chances are not just your names have been stolen in such a situation, but it also happened to other people (which tends to confirm what you say). If several domains declared stolen ended in the same receiving account, this also helps. If it happened with credentials identical to those just leaked from a hack, this tends to confirm your story too. Etc.

You report the thing. Then, it's some other people's job to confirm what you say seems correct. There will be questions asked to the account having received the domains. Depends of the answer too (if he has a receipt for a payment to you, for example). A victim doesn't have to absolutely "prove" they're a victim. You already report it, and then, things get sorted out.

Sure, you could have "stolen" your own domain from yourself. Or given/sold it and argue it was stolen. But there will be cracks in your story. And well, reporting false crimes is also illegal if I'm not mistaken.... Why the hell would you falsely report something stolen? Unless you're a little nuts or you have an incentive, there is no good reason.

 

[Tom K.]

Are there locks enforced on domains pushed? Or only on transfers? I would imagine that once an account change is made the domain would be transferred out.

 

[accurate]

To my understanding most registrars do have a policy of preventing pushed domains from outbound transfers for a certain period of time. They don't want an unauthorized transfer of a domain name to another registrar.

I can't speak to what the Epik policy is on this though @Tom K., although I would imagine they would have similar policy in place.

Maybe an @Epik team member can comment?

Are there locks enforced on domains pushed? Or only on transfers? I would imagine that once an account change is made the domain would be transferred out.

 

[Tom K.]

This is an interesting question. Because many domainers have complained that the 60 day lock has been detrimental to sales. Whenever I change any of the whois info, my current registrar allows me to opt out of the lock.

 

[base]

Epik sends an email and requires both the losing and gaining account to login and approve the push. Pretty nice system actually.

Oh I didn't know that- thanks! Haven't done that through Epik.

@base I am asking myself if it depends of the registrar? It's crazy because I have done quite some pushes recently and I'm incapable of correctly remembering the email validation part (or lack thereof). I believe some (most?) did ask for a validation by email. But I may be mistaken, or confusing it with some external transfers (Auth codes). I will try to better look at what is needed during the next ones. I encourage you and others to do the same.

Looks like it does depend on registrar, as per @404 's reply quoted above. Will take your advice as per what is needed, rather than assume. I have done pushes through many registrars though, and have never needed email confirmation for it to go through. IMO kind of negates the instant "push" process though, although yes the domain winner does have to accept it within their account.

 

[DomainsGENERAL.com]

IMO kind of negates the instant "push" process though

Just clicking on a link sent by email doesn't change much. It's like when you have to validate an email when you create an account somewhere. With 1 click, you prove you have access to that email address. As said, in case of such validation, it's is a form of 2FA (or there is the version of sending you a code of a few digits you have to then enter on the website).

 

[DomainsGENERAL.com]

I can't speak to what the Epik policy is on this though

He has made clear he dislikes Epik and has no domain there. It would have to be seen what the policies are for the 3 registrars of the alleged stealing. But for this period to work, you have to tell something to them...