DigitalOcean, one of the largest modern web hosting platforms, was recently hit by a troubled data leak incident that exposed some of its customer data to anonymous and unauthorized third parties.
Although the hosting company has not yet released a statement publicly, it has begun to alert affected customers of the extent of the breach by email.
According to the breach notification email received from customers [1, 2], the data leak due to negligence occurred when DigitalOcean “inadvertently” left an internal document accessible to the Internet without the need for a password.
“This document included your email address and / or account name (the name you gave to your account when you registered), as well as some account data that may have included your Drink account usage bandwidth, some help notes or sales communications. and the amount you paid during 2018, ”the company said in the email alert as shown below.
Following the discovery, a quick digital investigation revealed that an unauthorized third party had accessed the open file containing customer data at least 15 times before the document was permanently removed.
“Our community is built on trust, so we are taking steps to make sure this doesn’t happen again. We will educate our employees on customer data protection, establishing new procedures to alert us to potential exposures in a more timely manner and make configuration. “changes. to prevent future data exposure,” the company added.
It should be noted that this particular breach does not indicate that the DigitalOcean website has been compromised, or that customer login credentials have been leaked to attackers.
So, if you have an account with the hosting service, you don’t have to rush to change your password. However, the service also offers two-factor authentication that all users must enable to add an extra layer of security to their accounts.
The Hacker New has reached out to DigitalOcean for comment and the story will be updated with the answer.
Update – A company spokesperson confirmed The Hacker News of the incident and shared a statement:
“We received a document that was found to be shared publicly, and while we are confident that there has been no malicious access to that document, we have informed our customers regardless of their transparency. Less than 1% of ‘ n customer base has been and the only PII included in the file was the account name and email address.
“This was not linked to a malicious operation to gain access to our systems. Our customers trust us with their data and we believe that unintentional use of such data, no matter how small, is enough reason to be transparent. “