Whistleblower: Ubiquiti Cyber Attack Last January was “Catastrophic”

A whistleblower who allegedly participated in the response to the Ubiquiti cyber attack claimed that the company downplayed a “catastrophic” incident to protect stock prices and that the 3rd party provider claim was fake.

The anonymous whistleblower reported his claims to KrebsOnSecurity, Ubiquiti’s whistleblower hotline, and European data protection authorities.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,” said the whistleblower.

The attack happened last January 11 and was blamed  on “unauthorized access” to Ubiquiti systems hosted by a “third-party cloud provider.”

Ubiquiti claimed after the attack that customer data may have been leaked but did not disclose how many. 

The whistleblower disputed Ubiquiti’s press release and said that the hackers gained administrative access to AWS Ubiquiti databases using credentials stored and stolen from an employee’s LastPass account, which allowed them to obtain root admin access to AWS accounts, S3 buckets, application logs, secrets for SSO cookies, and all databases, including those containing user credentials. 

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” explained the whistleblower.

The whistleblower added that the hackers sent Ubiquiti proof that they had stolen data and demanded 50 Bitcoins to keep quiet but was not paid.

Ubiquiti later found that the hackers also left two backdoors in their system and removed them.

There are no comments yet from Ubiquiti regarding the whistleblower testimony. 


© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.