Ubiquiti iniquity: Wi-Fi box slinger warns hackers may have peeked at customers' personal information
Salted password hashes, addresses, phone numbers may have been exposed in cloud security snafu
Networking vendor Ubiquiti has written to its customers to advise them of a possible leak of their personal information.
“We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider,” the email opens, before adding: “We have no indication that there has been unauthorized activity with respect to any user’s account.”
But the mail, seen by The Reg and sent out within the past few hours, also says Ubiquiti “cannot be certain that user data has not been exposed,” and admits that if the unauthorized actors did get in, they’ll have been able to access users’ “name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted).”
Customers who stored their physical address and phone number in their account were advised that data may also have been accessed.
“As a precaution, we encourage you to change your password,” the mail states, adding that two-factor authentication is a very fine idea that customers should enable ASAP on their online accounts if it’s not already employed. A warning about password re-use across multiple sites is also offered.
The mail doesn’t name the cloud provider though at the time of writing, Ubiquiti’s public-facing website could be found at an IP address registered to Amazon Technologies. That’s no indication that Amazon Web Services can or should be considered as in any way involved, and the cloud colossus is generally not responsible for the security of customers’ applications. It may be an indication Ubiquiti is not very good at securing its cloud resources.
The notification email concludes:
We apologize for, and deeply regret, any inconvenience this may cause you. We take the security of your information very seriously and appreciate your continued trust.
That last sentence is a little disingenuous. In 2019, the biz issued updated firmware so that its Wi-Fi routers would phone home with telemetry. After users expressed their displeasure with that arrangement, Ubiquiti promised to offer an opt-out for all data collection, but then released firmware that collected data anyway, while offering some exclusions if users edited a config file.
Last year, the manufacturer also crippled some of its own kit with a sloppy update.
Ubiquiti investors don’t seem to mind. Its share price rose 0.18 percent today to $257.45 apiece. And it’s up from $187.85 a year ago. ®