DigitalOcean Accidentally Leaks Customer Data
Cloud infrastructure provider DigitalOcean is informing customers that it inadvertently exposed some of their data to the Internet. DigitalOcean, one of the biggest modern web hosting platforms, recently hit with a concerning data leak incident that exposed some of its customers’ data to unknown and unauthorized third parties. Though the hosting company has not yet publicly released a statement, it did has started warning affected customers of the scope of the breach via an email.
According to the breach notification email that affected customers [1, 2] received, the data leak happened due to negligence where DigitalOcean ‘unintentionally’ left an internal document accessible to the Internet without requiring any password. According to a notification sent to DigitalOcean users, the incident is linked to a 2018 company-owned document that was publicly available for viewing without requiring any authentication.
“This document contained your email address and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018,” the letter reads. An investigation by the provider’s security team found the internal document was “accessed at least 15 times” before it was taken down.
The email alert also informed customers that the document had been accessed at least 15 times before the leak was noticed and plugged. DigitalOcean also revealed that less than 1% of its customer base was impacted by the incident, and that account name and email address represented the only personally identifiable information (PII) included in the exposed file.
company spokesperson said:
“This was not related to a malicious act to access our systems. Our customers trust us with their data and we believe that an unintended use of that data, no matter how small, is reason enough to be transparent,”
“Our community is built on trust, so we are taking steps to make sure this doesn’t happen again. We will be educating our employees on protecting customer data, establishing new procedures to alert us of potential exposures in a more timely manner, and making configuration changes to prevent future data exposure,”
To be noted, this specific breach neither indicates the DigitalOcean website was compromised, nor the customers’ login credentials were leaked to the attackers. While there is no indication of foul play or a targeted attack, changing your account password and enabling two-factor authentication is never a bad idea. Companies should start focusing on protecting customer data, regardless of the type of information they handle. Even with limited information, bad actors can still formulate phishing campaigns to steal additional information or financial details.