Ubiquiti Accused of Covering Up a ‘Catastrophic’ Data Breach
The Company Isn’t Denying the Allegations; Meanwhile, Countless Cloud-Based Devices Are at Risk of Takeover.
On January 11th, American technology company Ubiquiti disclosed that a security breach involving a third-party cloud provider had exposed customer account credentials. The company told customers to reset their passwords and enable multifactor authentication, saying a breach involving a third-party cloud provider might have exposed user account data. In addition, Ubiquiti said they were “not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed.”
However, a source who participated in the response to that breach claims Ubiquiti, who is a major vendor of cloud-enabled IoT devices such as routers, network video recorders, and security cameras, softened a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.
On March 30th, KrebsOnSecurity reported that a source who participated in the response to the breach said Ubiquiti should have immediately invalidated all credentials because all of the company’s key administrator passwords had been compromised as well. What’s more, the whistleblower said the company never kept any logs of who was accessing its databases and that Ubiquiti’s presence on Amazon’s Web Services (AWS) cloud services was in fact the “third party” blamed for the hack.
In a note entitled “Update to January 2021 Account Notification”, Ubiquiti stated that
Nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.
Ubiquiti said it has “well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further”, hinting the company has an idea of who is responsible for the attack.
The general reaction was that the company has failed to properly communicate with its customers. The fact that Ubiquiti is not denying the allegations, and indicates that they could be true, suggests that the original email was, at the very least, an insufficient warning. It encouraged users to change their passwords when a more appropriate response would be to immediately lock all accounts and require a password reset.