Ubiquiti Breach “Catastrophic”

On January 11, the networking equipment and Internet of Things (IoT) devices provider began sending out emails to customers informing them of a recent security breach. 

The company said that someone had obtained “unauthorized access” to Ubiquiti systems hosted by a “third-party cloud provider,” in which account information was stored for the ui.com web portal, a customer-facing device management service. 

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

Ubiquiti did not reveal how many customers may have been involved. 

A whistleblower from the company who spoke to Krebs claimed that Ubiquiti itself was breached, and that the company’s legal team prevented efforts to accurately report the dangers to customers.

It’s worth reading Krebs’ report to see the full allegations, but the summary is that hackers got full access to the company’s AWS servers — since Ubiquiti allegedly left root administrator logins in an LastPass account — and they could have been able to access any Ubiquiti networking gear that customers had set up to control via the company’s cloud service (now seemingly required on some of the company’s new hardware).

According to the alleged responder, cybercriminals gained administrative access to AWS Ubiquiti databases via credentials stored and stolen from an employee’s LastPass account, permitting them to obtain root admin access to AWS accounts, S3 buckets, application logs, secrets for SSO cookies, and all databases, including those containing user credentials.

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” Adam wrote in his letter. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”

If you have Ubiquiti devices installed and haven’t yet changed the passwords on the devices since Jan. 11 this year, now would be a good time to take care of that.

Ubiquiti’s stock price has grown remarkably since the company’s breach disclosure Jan. 16. After a brief dip following the news, Ubiquiti’s shares have surged from $243 on Jan. 13 to $370 as of today. By market close Tuesday, UI had slipped to $349. Update, Apr. 1: Ubiquiti’s stock opened down almost 15 percent Wednesday; as of Thursday morning it was trading at $298.