Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’

Updated: The source alleges the January security incident was severely downplayed.

A whistleblower involved in the response to a data breach suffered by Ubiquiti Networks has claimed the incident was downplayed and could be described as "catastrophic."

On January 11, the networking equipment and Internet of Things (IoT) devices provider began sending out emails to customers informing them of a recent security breach. 

The company said that someone had obtained "unauthorized access" to Ubiquiti systems hosted by a "third-party cloud provider," in which account information was stored for the ui.com web portal, a customer-facing device management service. 

At the time, the vendor said information including names, email addresses, and salted/hashed password credentials may have been compromised, alongside home addresses and phone numbers if customers input this data within the ui.com portal. 

Ubiquiti did not reveal how many customers may have been involved. 

Customers were asked to change their passwords and to enable two-factor authentication (2FA). 

Several months later, however, a source who "participated" in the response to the security breach told security expert Brian Krebs that the incident was far worse than it seemed and could be described as "catastrophic."

Speaking to KrebsOnSecurity after raising his concerns through both Ubiquiti's whistleblower line and European data protection authorities, the source claimed that the third-party cloud provider explanation was a "fabrication" and the data breach was "massively downplayed" in an attempt to protect the firm's stock value. 

In a letter penned to European regulators, the whistleblower wrote:

"It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk."

According to the alleged responder, cybercriminals gained administrative access to AWS Ubiquiti databases via credentials stored and stolen from an employee's LastPass account, permitting them to obtain root admin access to AWS accounts, S3 buckets, application logs, secrets for SSO cookies, and all databases, including those containing user credentials. 

The source also told Krebs that in late December, Ubiquiti IT staff found a backdoor planted by the threat actors, which was removed in the first week of January. A second backdoor was also allegedly discovered, leading to employee credentials being rotated before the public was made aware of the breach. 

The cyberattackers contacted Ubiquiti and attempted to extort 50 Bitcoin (BTC) -- roughly $3 million -- in return for silence. However, the vendor did not engage with them. 

Update 21.32 BST: A LastPass (by LogMeIn) spokesperson told ZDNet:

"LogMeIn is committed to maintaining the security of our LastPass users and their sensitive information. We are confident in the security protections we have in place and additionally, out of an abundance of caution, investigated and, at this time, found no indication of a vulnerability or compromise to the LastPass service. In order to uphold that commitment, our security team has reached out to Ubiquiti to offer any assistance and gather additional information around the event."

ZDNet has reached out to Ubiquiti Networks and we will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0