DigitalOcean Customer Billing Data Accessed in Data Breach

Disclosure: HostScore is reader-supported. When you purchase through our links, we may earn a commission.

DigitalOcean, a cloud solutions provider, is notified its customers of a data breach that exposed their customers’ billing data. Two email versions seem to be in circulation from DigitalOcean.

One of these emails was broken down into:

  • The problem
  • What happened, and
  • What we’ve done

What’s The Issue

Here’s a screenshot of one of the emails and I’ll break it down in this report.

The second version of the email from the company shows that a link to a DigitalOcean-owned document from 2018 was mistakenly left online, exposing their details.

Although the leak was unintentional, the document contained customers’ Personally Identifiable Information (PII), including:

  • The name customers used at sign-up
  • Their email address
  • Bandwidth usage
  • Droplet count
  • Notes they may have exchanged with sales and support
  • What they paid in 2018

According to DigitalOcean, the flaw has been fixed.

The company noticed this problem on April 26, 2021. 

Prior to taking down the document, the security team investigated the public link through which the document was leaked, and found that someone exploited the vulnerability. And between April 9 and April 22, 2021, it was accessed 15 times.

DigitalOcean’s Response

DigitalOcean has accepted the mistake as theirs and stated that they hold themselves accountable. The letter explained that DigitalOcean’s community is built on trust, and to ensure that such mistake doesn’t happen again in the future, they’ll of the following:

  • Establish new procedures that alerts them on time of potential threats
  • Educate their employees on protecting customer data, and
  • Make changes in the configuration to prevent exposure in the future 

However, they assure customers that the leak had no impact on their droplets or other systems that they run on the DigitalOcean platform. And they promise to remain transparent and let customers know if their data is used in ways that don’t align with values of the company.

They also ecourage customers to reach out with concerns or questions they have by replying to the email they received concerning the threat.

Should You Be Concerned?

The exposed document also contained billing information like:

  • The last four digits of the payment card
  • The card-issuing bank, and
  • The card’s expiry date 

Albeit, DigitalOcean insists that customer’s accounts on the platform weren’t accessed, and the breach didn’t involve their account tokens either.

As far as the cloud infrastructure giant is concerned, they notified data protection authorities and fixed the flaw. But the apparent flaw that exposed customers’ billing details is still not clear.

Tyler Healy, DigitalOcean’s security chief, said the breach affected one percent of customers’ billing profile. However, TechCrunch reported that he didn’t answer specific questions like how they discovered the vulnerability and which authorities they informed.

Some of DigitalOceans customers are yet to get any of these emails from the company. So, it’s either the sending process is ongoing, or they’re sending emails only to the one percent affected by the leak.

Final Thoughts

No one knows why the unauthorized user accessed the document that number of times. And it’s not clear if they made copies of the document. But, I’m sure you don’t want to find out before taking the necessary steps.

If you plan to review your hosting options with DigitalOcean, check out this review and performance analytics here. You can also use this free checklist to streamline your search.


More from HostScore

Submit Your Company News

Looking for publicity opportunities at HostScore.net?

Share your company’s latest achievements, product announcements, and company milestones with our readers. Use this self-service submission form and payment gateway to start instantly.

Submit News (Self-Service)