On March 21, 2021, the IoT device vendor Ubiquiti found itself in a difficult position when a whistleblower revealed that the company had failed to disclose important details about a data breach from earlier in the year, according to The Verge. While the company had initially stated that the breach was limited to a "third-party cloud provider," the whistleblower suggested that a hacker had actually gained access to all of Ubiquiti's AWS servers — an exploit of much greater magnitude than what was initially revealed to consumers.
An issue in the cloud
When Ubiquiti first disclosed its data breach Jan. 11, 2021, the potential risk to consumers was presented as being relatively low. In an email to customers that was also posted on its official forum, the company noted that a breach had occurred, but claimed that no user profiles or databases were effected. The statement did, however, acknowledge that it was possible this information could have been compromised, and encouraged users to change their passwords and enable two-factor authentication on their accounts.
"We have no indication that there has been unauthorized activity with respect to any user's account … We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed. This data may include your name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted)," the statement read.
Notably, the company seemed to suggest that the issue lay in the hands of a "third-party cloud provider." While it was true that the breach occurred on an AWS server, the way hackers allegedly accessed information fell under the purview of Ubiquiti.
While Ubiquiti's initial announcement was initially accepted at face value, the plot soon thickened. On March 21, the cybersecurity blog Krebs on Security posted a piece detailing the full scope of the company's data breach and contradicting many of its initial claims.
The source for Krebs on Security's revelations was a security professional at Ubiquiti who was concerned enough about their employer's conduct to report it. In addition to KrebsOnSecurity, the whistleblower reached out to Ubiquiti's own whistleblower hotline and the European Data Protection Supervisor to voice their concerns.
"[The data breach] was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers… The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk," the whistleblower said to the European Data Protection Supervisor.
Rather than the small vendor issue that Ubiquiti had initially claimed, the whistleblower claimed that a hacker had managed to hack the LastPass account of an IT employee and gain full administrator access of the company's AWS account. Amongst the information stored on the account was the entirety of the company's S3 data buckets, application logs, databases and their respective credentials.
Ubiquiti's team was able to uncover the exploit in December 2020, after discovering a backdoor that the hacker had put in place. Once the backdoor was removed, the alleged hacker reached out to Ubiquiti with a ransom request for 50 bitcoin. In exchange for the payment, the hacker said they would not make the event public and would reveal a second backdoor that had not been removed. The company ultimately did not engage with the ransom request and discovered the backdoor on its own, according to the whistleblower.
While mostly known for its routers, Ubiquiti also makes network video recorders and security cameras. Currently, about 85 million of the company's devices are in use. While Ubiquiti stock initially remained high after their first breach disclosure, shares dropped 15% following the whistleblower's revelations.
Cybersecurity in every sector
Even if your organization doesn't work in the cybersecurity sector itself or handle sensitive customer data, keeping your data safe from hackers is still a priority. One of the easiest and most important ways to shore up your network is by ensuring all of your applications are protected by modern, secure identity frameworks. This can include multi-factor authentication, and some vendors are even moving to integrate biometric recognition technologies such as fingerprint readers.