Ubiquiti’s Data Breach Incident May Be a Lot More Catastrophic Than We Thought
- Unconfirmed reports from anonymous “insider” sources claim that Ubiquiti’s data breach was a catastrophe.
- Hackers stole source code, accessed all databases, and could have compromised any IoT and any customer of the firm.
- The hackers demanded a payment of 50 bitcoin to remain silent about the incident when they were eventually discovered.
A whistleblower working in Ubiquiti has decided to disclosed juicy details to Brian Krebs, explaining that the data breach incident that made headlines in January is actually a lot worse than what we were made to believe. Back then, the company informed the public of unauthorized access to a third-party provider's systems, which unfortunately held information belonging to Ubiquiti clients and their accounts. The firm advised everyone to reset their passwords and enable 2FA, and that was about it.
Now, the anonymous source reports that the incident was a lot more catastrophic, involving a massive data breach and risking malicious access to a large number of customer devices in corporations and homes around the globe. According to the whistleblower, the hackers obtained full read/write access to Ubiquiti’s AWS databases, using the admin credentials of an IT employee of the firm who had them stored in LastPass. Thus, there was no third-party that suffered the breach, but Ubiquiti themselves and Amazon were in no way responsible for it.
Having full remote access, full source code control, and having performed singing keys exfiltration, the actors gained root privileges to all AWS accounts, S3 data buckets, all app logs, all user credentials, and everything needed to forge single-sign-on (SSO) cookies. Eventually, the intruders could have compromised any of Ubiquiti’s 85 million devices in over 200 countries.
The compromise was discovered in December 2020, when someone in Ubiquiti’s security team noticed several Linux virtual machines that shouldn’t be there, leading to the eventual discovery of a backdoor. When the hackers had their cover blown, they asked 50 bitcoin to keep the incident between them and the firm - otherwise, they threatened to leak stuff they had previously exfiltrated, like source code.
Ubiquiti reportedly chose not to pay the hackers, so they had to force credential resets and just bite the bullet. Of course, if the above is true, the networking firm has hidden many crucial details, delayed the disclosure of the incident, didn’t inform the clients of the dire risks they were running, and demonstrated an ignominious dearth in its security practices.
We have no way to tell if any of the above is true or accurate, so we are reproducing the reports with reservation. We’ve reached out to Ubiquiti to hear their side, and we will update this post as soon as they share a statement.