BreachExchange mailing list archives
Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 31 Mar 2021 10:01:39 -0500
https://www.zdnet.com/article/whistleblower-claims-ubiquiti-networks-data-breach-was-catastrophic/ A whistleblower involved in the response to a data breach suffered by Ubiquiti Networks has claimed the incident was downplayed and could be described as "catastrophic." On January 11, the networking equipment and Internet of Things (IoT) devices provider began sending out emails to customers informing them of a recent security breach. The company said that someone had obtained "unauthorized access" to Ubiquiti systems hosted by a "third-party cloud provider," in which account information was stored for the ui.com web portal, a customer-facing device management service. At the time, the vendor said information including names, email addresses, and salted/hashed password credentials may have been compromised, alongside home addresses and phone numbers if customers input this data within the ui.com portal. Ubiquiti did not reveal how many customers may have been involved. Customers were asked to change their passwords and to enable two-factor authentication (2FA). Several months later, however, a source who "participated" in the response to the security breach told security expert Brian Krebs that the incident was far worse than it seemed and could be described as "catastrophic." Speaking to KrebsOnSecurity after raising his concerns through both Ubiquiti's whistleblower line and European data protection authorities, the source claimed that the third-party cloud provider explanation was a "fabrication" and the data breach was "massively downplayed" in an attempt to protect the firm's stock value. In a letter penned to European regulators, the whistleblower wrote: "It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk." According to the alleged responder, cybercriminals gained administrative access to AWS Ubiquiti databases via credentials stored and stolen from an employee's LastPass account, permitting them to obtain root admin access to AWS accounts, S3 buckets, application logs, secrets for SSO cookies, and all databases, including those containing user credentials. The source also told Krebs that in late December, Ubiquiti IT staff found a backdoor planted by the threat actors, which was removed in the first week of January. A second backdoor was also allegedly discovered, leading to employee credentials being rotated before the public was made aware of the breach. The cyberattackers contacted Ubiquiti and attempted to extort 50 Bitcoin (BTC) -- roughly $3 million -- in return for silence. However, the vendor did not engage with them. ZDNet has reached out to Ubiquiti Networks and we will update when we hear back. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’ Destry Winant (Apr 01)