[PLUG-TALK] Ubiquiti data breach
TomasK
tomas.kuchta.lists at gmail.com
Wed Mar 31 17:35:37 UTC 2021
Rich,
Please be specific and accurate when making a summary like this,
especially when this is two+ months old - there was enough time to read
up on it:
Here is my summary:
This breach affects users of Ubiquiti products configured to be
controlled through Ubiquiti online account. All online credentials were
compromised including SSO infrastructure, token signing and private and
public keys.
This breach not affects products configured to use local accounts only.
Breach was disclosed by Ubiquiti on 11 January 2021. It has been widely
known and criticized, albeit with Ubiquiti not owning to it, in the
user community.
Yesterday's Krebs on Security article is about reporting on
wistleblower's disclosure to European Data Protection Authority (EDPA).
Wistleblower's claim is - in typical Ubiquiti's fashion - they did not
provide full and clear disclosure, deflecting breach responsibility to
third party (AWS) for unsecured Ubiquiti infrastructure, did not notify
customers directly yet, did not disable or force password re-set on
compromised accounts and did not properly notify EDAPA - thus breaking
law.
Hope that helps more than simplistic, scary looking story.
Tomas
On Wed, 2021-03-31 at 06:09 -0700, Rich Shepard wrote:
> Those who use Ubiquiti hardware should read today's article on
> www.krebsonsecurity.com. Access to data and hardware was (is?)
> apparently
> much more severe than the company acknowledges.
>
> Rich
> _______________________________________________
> PLUG: https://pdxlinux.org
> PLUG-talk mailing list
> PLUG-talk at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug-talk
More information about the PLUG-talk
mailing list