Ubiquiti Inc., a major provider of cloud-enabled Internet of Things (IoT) equipment such as routers, network video recorders, and surveillance cameras, announced on the 11th of January that their customer account information had been compromised due to a breach involving a third-party cloud service provider. According to a whistle-blower involved, in the response to the breach, Ubiquiti significantly downplayed a “catastrophic” incident in order to mitigate the stock price, and the third-party cloud provider assertion was a hoax.
Ubiquiti, whose consumer-grade routers have now been associated with security and manageability, is accused of concealing a “catastrophic” security breach. The company said that someone gained “unauthorized access” to the company’s servers, which were operated by a “third-party cloud provider” and where data for the ui.com web portal, was stored.
The vendor claimed that the intrusion contained names, email addresses, and likely hashed password credentials, as well as residential addresses and phone numbers of customers. But they did not indicate how many customers were affected.
Since Ubiquiti reportedly left root administrator logins in a LastPass account, hackers had complete access to the company’s AWS servers, and they could have accessed any Ubiquiti networking hardware that customers had installed up to monitor through the company’s cloud service.
When Ubiquiti eventually released a statement, it was far from reassuring — in truth, it was woefully inadequate. The company stated again that there was no proof that any user data had been hacked or stolen.
However, as the security specialist, Krebs points out, the whistle-blower claimed clearly that the organization does not keep logs on who accessed or did not access the compromised servers, which would serve as evidence. The statement from Ubiquiti also states that the hacker tried to extort money from the company. However, the whistle-blower who “participated” in the security breach investigation told security specialist Brian Krebs a few months later that the event was even worse than it appeared and could be characterized as “catastrophic.” The source reported to KrebsOnSecurity that perhaps the third-party cloud provider justification was a “fabrication” and that the security breach was “massively downplayed” in an effort to preserve the company’s stock value.
The whistle-blower wrote, “It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,” in the letter penned to the European regulators.
According to Krebs, Ubiquiti IT workers discovered a vulnerability planted by threat actors in late December, which was eliminated in the first week of January. Employee passwords were reportedly rotated until the public was fully informed of the violation when a second vulnerability was found. The cybercriminals approached Ubiquiti and requested 50 Bitcoin (roughly $3 million) in exchange for silence. The seller, on the other hand, remained unresponsive.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.