DigitalOcean Data Leak Incident Exposed Some of Its Customers Data
Though the hosting company has not yet publicly released a statement, it did has started warning affected customers of the scope of the breach via an email.
According to the breach notification email that affected customers [1, 2] received, the data leak happened due to negligence where DigitalOcean ‘unintentionally’ left an internal document accessible to the Internet without requiring any password.
“This document contained your email address and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018,” the company said in the warning email as shown below.
Upon discovery, a quick digital investigation revealed that the exposed file containing customers’ data was accessed by unauthorized third parties at least 15 times before the document was finally taken down.
“Our community is built on trust, so we are taking steps to make sure this doesn’t happen again. We will be educating our employees on protecting customer data, establishing new procedures to alert us of potential exposures in a more timely manner, and making configuration changes to prevent future data exposure,” the company added.
To be noted, this specific breach neither indicates the DigitalOcean website was compromised, nor the customers’ login credentials were leaked to the attackers.
So, if you have an account with the hosting service, you don’t have to rush into changing your password. However, the service also offers two-factor authentication that every user must enable to add an extra layer of security to their accounts.
The Hacker New has reached out to DigitalOcean for a comment, and the story will be updated with the response.