Escrow.com Sends Epik Security Breach Password Reset Email

12

This morning on NamePros, a user named astrade shared an email he received from Escrow.com suggesting that a password reset may be necessary due to the “security breach at domain registrar Epik.” The email suggests that the recipient change the password for the account at Escrow.com. Another email shared on NamePros by an Escrow.com customer indicates that Escrow.com automatically reset the user’s password.

I reached out to Jackson Elsegood, General Manager at Escrow.com, and he confirmed that the email was sent by Escrow.com. I also asked Jackson who, in general, received this password reset email.

Here’s what Jackson told me:

“This is a legitimate email that we sent out given the size of the hack and that passwords were involved. Over the past year and a half we’ve been building our security capabilities and one of the necessary initiatives is to proactively manage threats like this.

We contacted users we believed may be impacted by the breach and asked them to update their password in case it was compromised, and added a reminder not to share passwords across services.”

Jackson told me the that the analysis the company did is somewhat limited, so it would be a good idea to check a service like HaveIBeenPwned.com to understand if there is some exposure with your email address. Without a doubt, you should use a very different password for each website you use, and you should sign up for 2 factor authentication (2FA) if offered.

About The Author: Elliot Silver is an Internet entrepreneur and publisher of DomainInvesting.com. Elliot is also the founder and President of Top Notch Domains, LLC, a company that has sold seven figures worth of domain names in the last five years. Please read the DomainInvesting.com Terms of Use page for additional information about the publisher, website comment policy, disclosures, and conflicts of interest.

Reach out to Elliot: Twitter | Facebook | LinkedIn | Email

12 COMMENTS

  1. Everytime Epik is been mentioned,I get the domain PTSD and my email address has been pawned by Epik
    What my legal recourse?
    Who going to pay for my mental and physical pain and suffering?

  2. Generally speaking, you should already be doing this on a regular basis (updating your passwords) to protect your domains. It’s a good reminder that we don’t necessarily need a reminder from Escrow to update passwords.

    Why not go to all your domain registrar accounts and change/update passwords?

  3. I received the email and thought it was spam because there was a typo in the body of the message: “out” industry has been put on high alert instead of “our” industry has been put on high alert.

  4. Just to make it clear how badly Escrow.com has acted here:

    Escrow.com apparently looked at the leaked data, and only sent emails to those people (not to all Escrow.com customers). But it’s sleazy that they looked at the data.

    I have multiple accounts at Escrow.com, and they only sent their email to the one email address that was in the Epik hack.

    So they basically looked at the data and cross-referenced it with their customer list… but I don’t like them delving into hacked data like this.

  5. I received the Email Escrow.com I was not able to open it for my safety, for days I have received many emails subplanted from other brands and websites to send to Spam.

    Many emails have those who hack Epik.com the Escrow.com email could have been a pershing attack viruses (Only open the emails that are safe and I check everything like that before) I do not trust the hack in Epik.com was very strong

    I have all the domains, pay with a credit card and cancel it from my Epik account when checking my payment is done.

  6. and in further “faith-based-security” news, a 2nd tranch of Epik data has been leaked.

    This time it’s entire server images.

    Watch this guy boot up a copy of a live Epik server and scroll through keys for all the major domain industry API connections…

    https://twitter.com/WhiskeyNeon/status/1443308875604799495

    Domain Industry lessons:

    1. When flat-earth religious fanatics surface, don’t elevate them to Industry Spokesperson status.

    2. Karma always bats last.

    There endeth today’s lesson.

Leave a Reply