Twitter Thread: Epik's utter lack of security & terrible decisions boggle my mind

Posted September 24, 2021 in twitter-threads

Background: This is an archived Twitter thread. For more information, read: Elon banned me from Twitter for doing journalism. Good riddance.

Original URL of Twitter thread: https://twitter.com/micahflee/status/1441554221183033346


Epik's utter lack of security & terrible decisions boggle my mind. They logged plaintext passwords for login failures, MD5(password) on success.

I tried cracking all MD5s using a wordlist of the plaintexts...

Now I have 11,000 actual passwords used by Epik customers #EpikFail

Posted 5:04 PM · Sep 24, 2021, 218 Retweets, 1,132 Likes


Importing them all into a database so I can see what the most popular passwords are of these 12k cracked one...

(note that the updated rows number could be misleading, it could be the same user logging on many times I'm pretty sure)

Posted 7:42 PM · Sep 26, 2021, 4 Retweets, 49 Likes


The most popular passwords out of the 12k that I cracked

Posted 9:00 PM · Sep 26, 2021, 14 Retweets, 45 Likes