Nuked Ubiquiti, a company whose prosumer-grader-grader-grade routers have become synonymous with security and manageability. After 24 hours of silence, the company has now issued a statement that does n’t deny any of the whistleblower’s claims.
Ubiquiti emailed its customers about a’minor security breach’ at a’third party cloud provider’ on January 11th. A whistleblower from the company who spoke to Krebs claimed that Ubiquiti itself was breached, and that the company’s legal team prevented efforts to accurately report the dangers to customers.
Hackers got full access to the company’s AWS servers. Ubiquiti allegedly left root administrator logins in an LastPass account.
‘they were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,’ the source said.
Ubiquiti issued a statement this evening saying it had no evidence to indicate that any user data had been accessed or stolen. But the whistleblower explicitly stated that the company does n’t keep logs, which would act as that evidence, on who did or did n’t access the hacked servers. The hacker did try to extort it for money, but does n’t address the allegations of a cover up.
We were the victim of a cybersecurity incident that involved unauthorized access to our it systems. We would like to give our community with more information.
The attacker was locked out of our systems on January 11, July 11. The incident occurred during an analysis of customer data and the security of our products.
The attacker tried to extort the company by threatening to release stolen source code and specific it credentials. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.
We have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. We still encourage you to change your password if you have not already done so, including on any website where you use the same user ID or password.
Ubiquiti admits its own it systems were accessed. But it does n’t address much else. The statement confirms some of what the whistleblower said.
The company’s networking gear promises full control over your home or small business network, without the fears of cloud-based solutions.
