Regarding the recent database dump of Epik's customers

[themaster567]

What should I do for myself and my friends who I've recommended this to? I've done the standard changing my password and adding 2fa, but should I be worried about anything else? From my understanding, the dump includes at least full names, addresses, and passwords. Is it worth it to switch to a different domain service?

[LukeSmithxyz]

Change your password, and the password of any service where you were using the same password (which is always a bad idea). I say this even though I'm pretty sure Epik has been using a third party authenticator for the past year or two, so the password hashes leak might be obsolete anyway, but you should be precautious and change them anyway.

As for LandChad.net, this is spilled milk, although it might be optimal stategy to compile a brief list of recommended registrars for users as choices just to avoid potential issues like this where all eggs are in one basket. The only shortcoming of Epik (aside from being hacked) is that they were apparently storing password hashed in unsalted MD5, which is lazy and less secure and simple passwords can be cracked.

Granted, this should also apply to the VPS provider, Vultr. In fact, a leak of credentials of a VPS provider is potentially much more damaging because this can mean a data compromise, so it would probably be a good idea to recommend multiple providers for this as well. Perhaps I'll make a thread or video on this asking for suggestions. On 21/09/16 04:13AM, themaster567 wrote:

What should I do for myself and my friends who I've recommended this to? I've done the standard changing my password and adding 2fa, but should I be worried about anything else? From my understanding, the dump includes at least full names, addresses, and passwords. Is it worth it to switch to a different domain service?

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/LukeSmithxyz/landchad/issues/132

[ghost]

Their security policies were absolutely unacceptable and any recommendation to use their service should be removed. You should be migrating all services with them to another provider. If you don't, I think you are a bit foolish.

In my opinion you should apologize Luke. It is not your fault that they were not implementing basic security practices (let alone the kinds that they ought to implement given their focus on hosting controversial content), but you did lead us to them.

[themaster567]

In my opinion you should apologize Luke. It is not your fault that they were not implementing basic security practices (let alone the kinds that they ought to implement given their focus on hosting controversial content), but you did lead us to them.

That's a bit far. Luke made his recommendation based on what he felt was best at the time. I seriously doubt he could have foreseen this, therefore he did nothing malicious or even wrong. It's just an unfortunate situation.

I'll probably end up transferring my domain elsewhere soon.

[LukeSmithxyz]

Their security policies were absolutely unacceptable and any recommendation to use their service should be removed. You should be migrating all services with them to another provider. If you don't, I think you are a bit foolish.

In my opinion you should apologize Luke. It is not your fault that they were not implementing basic security practices (let alone the kinds that they ought to implement given their focus on hosting controversial content), but you did lead us to them.

You don't have any knowledge of their "security policies." Hashed passwords and plaintext info is the same caliber of leaks that we get continually from much more significant Yahoo! and Google leaks. Epik was targeted not because they had bad security, but for the one reason they are a recommendable registrar: they are a neutral carrier, unlike an increasing number of major US/EU registrars.

(By the way, I'm not sure what it means to "apologize" about something you admit that is (obviously) not only not my fault, but also the best given recommendation given the constraints.)

Regardless, the best strategy in good faith, as I said above, is to have a list of recommendations and as I do some research, I will have a list of registrars. You are invited to volunteer one if you'd like.

---

As a note for people who aren't concern trolling, it's an abysmally dumb thing to call Epik a registrar of "controversial" content. It's like saying that GoDaddy is a registrar for pornography because they have (doubtlessly millions) of porn sites registered. Epik has like three sites that the media wants to ban and somehow that means they "cater" to "controversial" content just because they don't go out of their way to shut people up. Epik does what all other American registrars used to do: register domains without curation.

[ghost]

Their security policies were absolutely unacceptable and any recommendation to use their service should be removed. You should be migrating all services with them to another provider. If you don't, I think you are a bit foolish. In my opinion you should apologize Luke. It is not your fault that they were not implementing basic security practices (let alone the kinds that they ought to implement given their focus on hosting controversial content), but you did lead us to them.

You don't have any knowledge of their "security policies." Hashed passwords and plaintext info is the same caliber of leaks that we get continually from much more significant Yahoo! and Google leaks. Epik was targeted not because they had bad security, but for the one reason they are a recommendable registrar: they are a neutral carrier, unlike an increasing number of major US/EU registrars.

(By the way, I'm not sure what it means to "apologize" about something you admit that is (obviously) not only not my fault, but also the best given recommendation given the constraints.)

Regardless, the best strategy in good faith, as I said above, is to have a list of recommendations and as I do some research, I will have a list of registrars. You are invited to volunteer one if you'd like.

As a note for people who aren't concern trolling, it's an abysmally dumb thing to call Epik a registrar of "controversial" content. It's like saying that GoDaddy is a registrar for pornography because they have (doubtlessly millions) of porn sites registered. Epik has like three sites that the media wants to ban and somehow that means they "cater" to "controversial" content just because they don't go out of their way to shut people up. Epik does what all other American registrars used to do: register domains without curation.

The problem is indeed that they stored data in plain-text, and do not appear to have taken the kinds of security precautions that, in my opinion, one should take given the risks they have assumed.

You don't have to apologize, no one can force you to do anything. You can be responsible for leading people to a bad thing, even if you were unaware of it. It seems somewhat unjust but it happens sometimes. It's up to you, and I don't think anyone has ill will towards you. God bless you

[ghost]

The problem is indeed that they stored data in plain-text, and do not appear to have taken the kinds of security precautions that, in my opinion, one should take given the risks they have assumed.

Unsalted MD5 for passwords is bad practice but still very far from uncommon. What data did they store in plain-text that they shouldn't have?

Besides, with the kind of breach this appears to have been, since other non-database data from the servers has been leaked, using salts probably wouldn't have helped.

[ghost]

The problem is indeed that they stored data in plain-text, and do not appear to have taken the kinds of security precautions that, in my opinion, one should take given the risks they have assumed. Unsalted MD5 for passwords is bad practice but still very far from uncommon. What data did they store in plain-text that they shouldn't have? Besides, with the kind of breach this appears to have been, since other non-database data from the servers has been leaked, using salts probably wouldn't have helped.

It is not uncommon. That is a problem. If you might be a target, you should secure your service. Allegedly, there was a decade old CVE that had already been reported to Epik months before the "breach". The CEO compared the report to "LinkedIn spam". I, personally, will be using a different registrar

[ErikPrantare]

Yeah, unsalted MD5 is really bad security practice, and their mail after the big breach didn't give me more trust in them:

At Epik, we take security and the privacy of your information very seriously. Therefore as a precautionary measure, I am writing to inform you of an alleged security incident involving Epik. Our internal team, working with external experts, have been working diligently to address the situation. We are taking proactive steps to resolve the issue. We will update you on our progress. In the meantime please let us know if you detect any unusual account activity. I am proud of our team’s efforts as we do our part to empower a thriving internet for the benefit of our customers around the world. You are in our prayers today. We are grateful for your support and prayer. When situations arise where individuals might not have honorable intentions, I pray for them. I believe that what the enemy intends for evil, God invariably transforms into good. Blessings to you all. Regards, Rob Monster Founder and CEO Epik Holdings Inc mt

I don't know any registrar with as lax a policy as Epik has, but people using it should really be aware that they can't be trusted on the security side of things, or that you will get the full story from them should anything happen. I'll probably switch to njal.la in the future. That won't be a viable choice for people who "use [their] service in a way that affects anyones health or safety", but they give a better impression when it comes to security and privacy.

[themaster567]

Oh boy, Epik's DNS server's are not doing so hot right now. Having partial domain outages along with the inability to edit my host records without getting an internal service error.

[LukeSmithxyz]

I did notice some downtime on Epik's DNS. All my Epik DNSs are resolving fine now, but very disappointing service even if the result of security upgrades. I can understand them disabling DNS edits as a temporary precaution, but it has been several days now, and Epik has not been too transparent about the process.

It might actually be a good idea to have articles on using third-party or self-hosted DNS on LandChad for exactly this reason.

While I will been keeping some domains with Epik, I think I will be moving some of my Epik domains elsewhere. I sympathize with their victimhood here and I am sure they are trying to get through this without normies panicking, but I would certainly appreciate more openness and updates.

Closing this issue since it's not really relevant to this site. I will start a new issue soliciting suggestions for new recommendations.