The Epik breach has some security mistakes in it that are so damaging they take my breath away. But I guess this shouldn’t be surprising given Rob Monster’s approach to business. A thread.
Here’s the Epik CEO trying to hire Jack Corbin, aka Daniel McMahon, serial harasser, cyber stalker now sitting in jail. https://t.co/8EAFKH0OBA
Here’s him dragging Cloudflare and calling them a honeypot and saying they have bad security. Can’t make this stuff up folks. https://t.co/nXB7oa732Q
Instead of taking 10 seconds to salt and hash his users’ passwords, Rob spent his time making sure the Christchurch shooter’s manifesto was freely available on the web, then grandstanding about it and using it to sell products. https://t.co/C3Eso4dUzU
Here he asks for people to send him intel on me because I called him out on the Christchurch thing. https://t.co/bIQ4N99jiq
I am not sure if his users will sue him or how that will unfold but the scope of the incompetence and negligence is really something.
Probably my favorite example was him logging user passwords and failed login attempts in plaintext. So he compromised the users’ current passwords AND their passwords on other sites. Plus he never rotated these logs so failed logins could have been used to fill up the disk too.
This is one of those times where I’m actually kind of embarrassed to use this fiasco as a use case in cybersecurity class because I don’t actually want my students to know this level of incompetence and buffoonery exists and its perpetrators live among us.