DigitalOcean, a cloud solutions provider, is notified its customers of a data breach that exposed their customers’ billing data. Two email versions seem to be in circulation from DigitalOcean.
One of these emails was broken down into:
- The problem
- What happened, and
- What we’ve done
What’s The Issue
Here’s a screenshot of one of the emails and I’ll break it down in this report.
The second version of the email from the company shows that a link to a DigitalOcean-owned document from 2018 was mistakenly left online, exposing their details.
Although the leak was unintentional, the document contained customers’ Personally Identifiable Information (PII), including:
- The name customers used at sign-up
- Their email address
- Bandwidth usage
- Droplet count
- Notes they may have exchanged with sales and support
- What they paid in 2018
According to DigitalOcean, the flaw has been fixed.
The company noticed this problem on April 26, 2021.
Prior to taking down the document, the security team investigated the public link through which the document was leaked, and found that someone exploited the vulnerability. And between April 9 and April 22, 2021, it was accessed 15 times.
DigitalOcean’s Response
DigitalOcean has accepted the mistake as theirs and stated that they hold themselves accountable. The letter explained that DigitalOcean’s community is built on trust, and to ensure that such mistake doesn’t happen again in the future, they’ll of the following:
- Establish new procedures that alerts them on time of potential threats
- Educate their employees on protecting customer data, and
- Make changes in the configuration to prevent exposure in the future
However, they assure customers that the leak had no impact on their droplets or other systems that they run on the DigitalOcean platform. And they promise to remain transparent and let customers know if their data is used in ways that don’t align with values of the company.
They also ecourage customers to reach out with concerns or questions they have by replying to the email they received concerning the threat.
Should You Be Concerned?
The exposed document also contained billing information like:
- The last four digits of the payment card
- The card-issuing bank, and
- The card’s expiry date
Albeit, DigitalOcean insists that customer’s accounts on the platform weren’t accessed, and the breach didn’t involve their account tokens either.
As far as the cloud infrastructure giant is concerned, they notified data protection authorities and fixed the flaw. But the apparent flaw that exposed customers’ billing details is still not clear.
Tyler Healy, DigitalOcean’s security chief, said the breach affected one percent of customers’ billing profile. However, TechCrunch reported that he didn’t answer specific questions like how they discovered the vulnerability and which authorities they informed.
Some of DigitalOceans customers are yet to get any of these emails from the company. So, it’s either the sending process is ongoing, or they’re sending emails only to the one percent affected by the leak.
Final Thoughts
No one knows why the unauthorized user accessed the document that number of times. And it’s not clear if they made copies of the document. But, I’m sure you don’t want to find out before taking the necessary steps.
If you plan to review your hosting options with DigitalOcean, check out this review and performance analytics here. You can also use this free checklist to streamline your search.