Ubiquiti
A whistleblower has accused network devices manufacturer, Ubiquiti, of covering up the severity of a data breach that could allow customers' devices to be accessed without authorisation. The report by KrebsOnSecurity comes after Ubiquiti announced in January that "certain" of its IT systems had been breached and it couldn't rule out the possibility that customer information had been accessed. In fact, it's claimed the breach was far more serious than the notice suggested and resulted in "full read/write access to Ubiquiti databases at Amazon Web Services (AWS). Legal silenced and overruled efforts to decisively protect customers,” the whistleblower wrote to the European Data Protection Supervisor.
Ubiquiti has responded to Krebs' report with a statement that raises more questions than it answers (and has been roundly mocked by customers). While insisting nothing has changed since its original notification, Ubqiuiti says there's no evidence that "customer information was accessed, or even targeted in the breach". To say that misses the point would be an understatement. The whistleblower's claim is that source code and IT credentials were stolen and that this is the key risk to customers. Ubiquiti doesn't deny the theft and simply says an extortion attempt was unsuccessful. This is an object lesson in how lack of transparency can damage a brand permanently (and its share price - temporarily).
So what actually happened? According to the whistleblower, the attacker(s) accessed credentials that had been stored in the password manager of a Ubiquiti IT employee. Those credentials provided complete access to all of Ubiquiti's AWS accounts, including application logs, databases, user credentials, and secrets required to forge authentication mechanisms. It's not clear how the password manager was compromised, but it's a vivid reminder of the importance of securing such tools with the maximum available measures. There's a lot more to emerge about this story and we'll update as we learn more.