US based domain registrar EPIK has encountered a security incident with potential theft of credit card data of the domain name registrants. The company sent out mass emails to the customers on Sunday. In the email, EPIK has shared details of the security incident or hacking of the site and customer data.
The domain registrar is looking into the scale of security incident and has deployed multiple cyber security consultants and teams. We can hope that EPIK’s management team is looking into conduction a full scale forensics audit to share the extent of data loss and a confirmation on whether the credit card data and details have been compromised as part of the hacking attempt on the site. It would be fair to call for a detailed study on what caused the breach and eventual impact on the customer data.
It would be also fair to expect a statement from EPIK about the claims of the security researcher, Corben Leo. Corben mentioned that he had reached out to EPIK with vulnerability and he wanted to know about EPIK’s bug bounty program or a process to report the vulnerability. EPIK’s CEO Rob Monster did not reply to the outreach. Corben has released the following statement to TechCrunch:
Leo told TechCrunch that a library used on Epik’s WHOIS page for generating PDF reports of public domain records had a decade-old vulnerability that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.
“You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.
Initial guess estimates suggest that 180 GB of user data has been stolen by the hackers. This includes domain name details, registrant details, transaction details and credit card details. Whether this 180 GB user data is the only data that has been compromised is something that EPIK would need to confirm. The email sent to customers does not seem to confirm the extent of damage done.
The past few months have seen a lot of US businesses being targeted for ransom or for stealing the user data. More and more companies are deploying added cyber security measures to resolve vulnerabilities on the go. We hope EPIK will streamline its systems and deploy cyber security professionals who could protect the domain data and user data more aggressively. For now, we do suggest that if you have domains at EPIK, consider moving them to a new registrar or at least change the passwords to ensure that you have taken basic level steps to protect your domain investments.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.