Internet of things (IoT) manufacturer Ubiquiti allegedly downplayed the severity of a data breach it revealed in January, according to reports.
Security blogger Brian Krebs, a former Washington Post reporter, spoke to a security professional claiming to work for Ubiquiti. The employee said the breach was "catastrophic", and the company downplayed the fallout to minimize the effect on its share price.
Ubiquiti makes IoT equipment, including mesh Wi-Fi systems. In January, it warned customers that intruders accessed systems hosted by a third-party cloud provider. "We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed," Ubiquiti said at the time.
Exposed data might include names, email addresses, and encrypted account passwords, the company added, before encouraging people to change their passwords as a cautionary measure.
The security professional said the breach was far worse than the company let on. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,” he told Krebs.
RELATED RESOURCE
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisation
According to Krebs' source, the cloud service provider was Amazon Web Services, and the hackers got full administrative access to servers there after finding a Ubiquiti employee's password. This allegedly allowed them read/write access to Ubiquiti's databases, cryptographic secrets for users' online sessions, and sign keys and source code.
The breach also gave the attackers root access to all of the companies' AWS accounts, including all S3 data buckets, the source continued.
This reportedly enabled the attackers to authenticate remotely to Ubiquiti devices worldwide.
Ubiquiti reportedly found a back door the attackers left in the system, but the attackers tried to blackmail the company for 50 bitcoins to stay quiet. The company refused to engage the attackers, according to Krebs' story.
Instead of suggesting a password change, the company should have forcibly changed them, along with reverting device access permissions, the source said. However, the company's legal department overrode those requests.
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
