Epik Email: “Update and Options for Affected Epik Users”

20

Yesterday afternoon, the Have I Been Pwned? platform added the Epik data breach to its database. In doing so, it announced that more than 15 million email addresses were contained in the data, along with other information like addresses and phone numbers:

There has been a lot to unpack with this data breach, and more details have been shared on various platforms including a long thread at NamePros and quite a few Twitter accounts. You can search Twitter for hashtags like #EpikFail, #EpikHack, or simply search for Epik to see updates from a wide variety of people who seem to have access to the data.

A short while ago, Epik sent out the email below with links to relevant organizations:

Update and Options for Affected Epik Users

Hello,

We previously notified that on September 15, Epik confirmed a data intrusion involving its customers’ personal information. Though our forensic investigation is still ongoing, we can now confirm additional details of this intrusion.

What happened:
While we continue to investigate, we believe that on or before September 13, 2021, unauthorized third parties accessed a backup copy of Epik’s domain-side service accounts through one or more non-public servers.

What personal information may have been obtained:
Name, address, email address, username, password, phone and VAT number (if given), transaction history, domain ownership, and for a small subset of users, credit card information.

What we are doing:
As previously stated, we have retained multiple cybersecurity partners to investigate the incident, secure our services, help affected users, and notify you, law enforcement, and other relevant authorities. We are continuing to communicate with relevant authorities and other stakeholders as well.

At this time, we have secured access to our domain-side services and have applied additional security measures to help protect services and users going forward.

In addition, we will offer free credit monitoring until September 15, 2023, for all affected Epik users; more details on this free service will be made available soon.

Additional options for users:
1. Change your Epik password and enable two-factor authentication by visiting: https://www.epik.com/support/knowledgebase/how-to-reset-password-epik-user-password-when-user-forgot-it

2. Call Epik Toll-Free at 800-510-3282 for further information and assistance.

3. The Federal Trade Commission (FTC) recommends that you place a free fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. This can be done by contacting any one of the three major credit bureaus:

Equifax: equifax.com/personal/credit-report-services or 1-800-685-1111
Experian: experian.com/help or 1-888-397-3742
TransUnion: transunion.com/credit-help or 1-888-909-8872

4. Request a free credit report from each credit bureau after placing a fraud alert on your file. Review these credit reports for any accounts and inquiries you do not recognize, as they may be signs of identity theft. If your personal information has been misused, visit the FTC’s site at IdentityTheft.gov to report the identity theft and obtain recovery steps. Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically so you can spot problems and address them quickly.

5. You may also want to consider placing a free credit freeze on your file. A credit freeze prevents potential creditors from obtaining your credit report, making it less likely for an identity thief to open new accounts in your name. To place a freeze, contact each of the major credit bureaus using the links or phone numbers above. A freeze will remain in place until you ask the credit bureau to temporarily lift or remove it.

6. Visit IdentityTheft.gov/databreach, for additional resources and help to protect yourself from identity theft or call 1-877-438-4338.

7. Learn more about your rights under the Fair Credit Reporting Act here.

8. Contact your local Attorney General or local law enforcement to report suspected identity theft by filing or obtaining a police report.

Thank you for your continued support. We will continue to keep you updated.

Epik Security Team

About The Author: Elliot Silver is an Internet entrepreneur and publisher of DomainInvesting.com. Elliot is also the founder and President of Top Notch Domains, LLC, a company that has sold seven figures worth of domain names in the last five years. Please read the DomainInvesting.com Terms of Use page for additional information about the publisher, website comment policy, disclosures, and conflicts of interest.

Reach out to Elliot: Twitter | Facebook | LinkedIn | Email

20 COMMENTS

  1. This just keeps going from bad to worse, given the extent of the hack, I would assume epik would be in some legal jepoardy especially if all the clients get together, what a mess.

    • Most of the people placing comments are not EPIK customers, guaranteed if it was any other registrar none of all this negativity would be going on.
      GD has had many names stolen and hasn’t been never a big deal, EPIK hasn’t had names stolen.
      Best customer support, best fees, best innovation
      Keep all the negativity, credit cards and major retailers have lost 10th of millions of records with SS, DOB, addresses and crucial info that can’t be changed as a
      Password or credit card, EPIK customers know better and don’t believe non will move something many registrars wish. Have 5 accounts with over 1500 names and sleep as a baby.

      • You have no way of knowing that the people placing comments aren’t EPIK customers and you are dead wrong about this happening to other registrars, the negativity wouldn’t be going on. The fact is it DIDN’T happen to other registrars and if it happened to Godaddy, it would be WAY BIGGER news. My question is this. How were credit cards exposed when they are supposed to be stored with encryption? Seems like a huge PCI compliance violation. My guess is more companies jump on board and refuse to do business with EPIK and/or they get their credit card processing pulled.

  2. I’m still looking forward to transferring more domains to Epik.

    Much worse than this has happened before. Federal employee data going back decades was all reportedly hacked by China. Did people forget already? That’s a billion times bigger a hack than this. Have people already forgotten the >= billion-level Yahoo hack?

    Speaking for myself, my security habits are probably stronger than >= 99.99% of the planet. I changed the pw of course, use super strong passwords, changed pin, use least privilege user accounts, and clear cookies, sessions, cache and files more times a day than probably 99.999% of everyone in the world online. In fact most people probably not only don’t do that but don’t even know about it.

    Regarding the diatribe purportedly from “Anonymous,” did anyone else notice the mention of Ivermectin in it?

    Did anyone else realize that you have to be so stupid to do that, that it’s almost humanly impossible to be as intelligent as you have to be to do such a hack while simultaneously being so unfathomably stupid as to mention Ivermectin that way? Anyone else (among the non-haters, sane and rational here, that is) see the credibility problem with that? Is it humanly possible to be *genuinely* that stupid, really? Or am I in the wrong arena for that, and are even the (otherwise) smartest people who participate in these blogs so stupid they don’t even know what I’m talking about or the truth about that drug and the mainstream media lying about it? Unless whoever is behind this really is that stupid, looks like it could actually be a mess up and smoking gun for something frankly.

    • I got my letter from Uncle Sam’s OPM for the big federal personnel hack, btw. Never even read it, just glanced it over a bit since it had already long been news. Had the free monitoring and $1 million coverage offer in it. Never bothered with any of that. Already had a freeze on my credit long before then too.

    • Did you take the same cognitive test that Trump bragged about “acing” ? lol

      Like any smart, down-to-earth person, Donald Trump has been bragging about “acing” a simple cognitive test he took recently. He’s been doing it for a while now, but it wasn’t until his interview with Fox News’s Chris Wallace on Sunday that he was challenged over it.

      As the president started boasting about his results, Wallace laughed. “I took the test too when I heard that you passed it,” the Fox News host told Trump. “It’s not – well it’s not the hardest test. They have a picture and it says ‘what’s that’ and it’s an elephant.’”

  3. In my comment about the “diatribe” above, the issue is: who really did this and why?

    Those who politicize are the problem. This is often by design.

    One of the most destructive and unfortunately successful strategies in society, especially our society in America is this: deceive, distract, and divide.

    The perpetrators and purveyors know this all too well.

    The apparent troll “Joe” above is one of two things:

    1. For real about a comment like that; in which case “he” is a stupid person, and the very kind of dupe that “deceive, distract and divide” works against and effectively recruits for multiplication.

    2. A knowing perpetrator.

    Addressing the curious mention of Ivermectin in the purportedly “Anonymous” sourced diatribe is pertinent to the question of who really did this and why, what is really going on.

    Despite what some would falsely want you to think, or work to make you think, it has nothing to do with Trump supporters vs. the opposite, Democrats vs. Republicans, liberals vs. conservatives, or the false left/right paradigm. It has everything to do with the truth.

    A trollish “comment” like that of “Joe’s” above does nothing but perpetuate the false assumptions for politicization and divide, either genuinely by being a dupe oneself, or knowingly by design.

    Since people are so easily and continually deceived and manipulated in this way, I will mention there is a man with a popular YouTube channel named Jimmy Dore. This is a man who is anything but a Trump supporter, or Republican, or conservative, or “right winger,” and so forth. Nothing of the sort, as antithetical as it gets. In fact, he is actually what a genuine “leftist” in this country is, i.e. the USA. Not to be confused with “liberal,” who are normally referred to as the “left” 24/7 but who are actually not.

    Ergo, since the topic at hand is “who really did this hack and why,” and politicizing the matter along the lines of Trump vs. not-Trump, and “deceive, distract, and divide” is nothing but a red herring and huge misleading distraction, make no mistake that comments like that of “Joe” above have nothing to do with it.

    And to make sure those who are already so deceived or prone to such deception get it, don’t look at partisan media regarding the pertinent element of properly analyzing the hacking “diatribe” I addressed. Don’t believe the explicit or implicit suggestion and pressure that such political division is what anything is about. Look at what even a genuine “leftist” among others who care more about the truth than politics will show you through real journalism and real attention to actual science and truth. Look at what has really been going on in society and mainstream media in incontrovertible documented reality and truth:

    “Entire Media Pushes FAKE Ivermectin Story”

    https://www.youtube.com/watch?v=iDy4gVdMJ-I

    Which then brings you back to my original question: is it really humanly possible to be *genuinely* so unfathomably stupid in mentioning a subject like Ivermectin that way in the “diatribe” while simultaneously being as intelligent as one normally has to be to engage in such a hack? Is that really credible and believable, or could there be more to the question of who did this and why than what you are expected to believe at face value?

  4. As a former Epik user, I received all of the related emails about the hack including from haveibeenpwned. I requested that my account be deleted. Apparently basic credit card PCI compliance is unnecessary when your data is protected by God!

  5. virtual creditcards are the way to avoid some pain in situations like this.
    GoDaddy asked me why many diff #. Unintended breaches was the answer No worries of anyone getting real account #
    credit freeze is much easier to use today the reporting agencies will give you a specific
    # for use each time a company needs to run a check but your account will remain locked.
    emails, phone # already a lost cause to keep private
    Cheers

Leave a Reply