Customer Data Has Been Exposed to Unknown Parties in a DigitalOcean Data Leak

DigitalOcean Data Leak

Historically, we have learned to associate data breaches with cybercriminals who use clever techniques to hack their way past the targeted organizations' defenses and steal users' personal details. While it is true that hackers do compromise online services of all shapes and sizes, nowadays, data exposure is more often than not the result of mistakes made by the service providers themselves.

Security researchers find unprotected servers and accidentally exposed databases that contain terabytes of private information every day, and they constantly urge companies to tighten their data storage procedures. Unfortunately, leaks continue to occur, and this is at least partly due to the fact that people tend to underestimate these incidents. Often, when the experts find an exposed database, they have no way of saying whether a third party has managed to access the data before them, and because service providers usually fail to notice any malicious activity in the immediate aftermath, people assume that the leak is inconsequential. DigitalOcean, one of the world's biggest hosting providers, recently exposed some customer data and showed just how dangerous this "no harm done" mentality could be.

DigitalOcean exposes a document full of user data

Last week, DigitalOcean started informing some of its clients about a data leak. Apparently, an employee had accidentally made an internal document available through a public link. The exposed data includes email addresses and account names, as well as account-specific details like bandwidth usage, Droplet counts, and support notes. The amounts affected users paid for hosting services during the year 2018 were also exposed, though the company was adamant that people's financial information was not affected.

The breach notification was never turned into an official statement or a press release, and you can probably see why. The document doesn't really contain any particularly sensitive information, and, apart from the email addresses and the account names, there's little else the hackers might find useful. What's more, when media outlets like ZDNet picked up the news, a DigitalOcean spokesperson said that only around 1% of the company's customers were affected. In other words, the leak doesn't seem especially noteworthy. From an educational standpoint, however, it can be extremely useful, especially for people who tend to underestimate the dangers associated with this type of leaks.

Unauthorized third parties accessed the data 15 times

DigitalOcean said that there has been no observable abnormal activity surrounding people's accounts as a result of the breach. The company did admit, however, that the document was accessed by unauthorized third parties 15 times before it was taken down.

This is not the worst leak we've ever seen, but we do hope that people will pay attention to it, because it can act as hard proof that if a piece of information is left on the internet, sooner or later, someone will get to it. This information can (and often is) extremely sensitive, and people must learn that even if there is absence of any proven misuse, if it's been publicly exposed, it should be considered compromised.

Hopefully, companies like DigitalOcean will do what they can to ensure that incidents like this one are as rare as possible, and hopefully, users will finally realize how dangerous they can be.

May 11, 2020