When Ubiquiti, Inc. was breached, it informed its users in mid-January. But in March, a whistleblower came forward, calling the breach potentially “catastrophic.”
Ubiquiti, Inc. announced it had suffered a breach in mid-January. The company notified customers and recommended that passwords were changed and two-factor authentication should be enabled. At the end of March, however, a whistleblower came forward, someone who worked on the response team for this breach. This person claims that the breach is much worse than the company let on, and that Ubiquiti was covering up the details to prevent stocks from dropping.
The whistleblower also said that the company’s blaming of the breach on an unnamed third-party cloud services provider was made up. He alleges the company massively downplayed a “catastrophic” incident, and contacted both Ubiquiti’s whistleblower hotline and European data protection authorities. Krebs on Security refers to the whistleblower as “Adam.”
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
Essentially, Ubiquiti sought to appear that they weren’t the actual target, just collateral damage. The truth, though, according to the whistleblower, is that the hackers obtained administrative access to credentials previously stored in a LastPass account of an employee. Through those credentials, they had root administrator access to all Ubiquiti AWS accounts, including S3 buckets, application logs, databases, user database credentials and secrets required for single sign-on cookies. Basically, they had access to everything under Ubiquiti’s umbrella. Plus the access allowed remote authentication to an untold amount of Ubiquiti cloud-based devices worldwide.
“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” Adam wrote in his letter. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”
Ubiquiti is a 15-year old technology company and major vendor of cloud-enabled IoT devices. Given the known insecurities around IoT devices and the rise in cyberattacks over the last year, you would think that a large technological organization would handle this situation differently. They sent out two notices to customers (January 11 and March 31), both of which recommended changing passwords and enabling 2FA. That’s a great recommendation, but falls short.
Aside from their handling of the breach, Ubiquiti has some questions to answer with regard to their business practices. No access logging? If someone’s credentials are stolen (kind of like the ones that were) you have no way to prove that your employee was not the one who logged into the system.
As a business owner or business leader, you have enough on your plate. You cannot expect to have all of the answers all of the time, nor can you expect to accomplish tasks that are not your area of expertise. That is why there are experts in all industries, and it’s okay to use them, that’s why they are there. Do what needs done to keep the business profitable and leave security to the experts.