Cloud computing vendor advises customers to take precautionary measures

Ubiquiti has urged its customers to change their passwords following a breach

Networking and Internet of Things (IoT) vendor Ubiquiti has urged its customers to change their passwords following a security breach it has blamed on an unnamed third-party cloud provider.

Ubiquiti – a manufacturer of cloud-connected routers, network video recorders, security cameras, and access control systems – warned customers via email that a third-party cloud provider may have inadvertently exposed customer account information.

The company is urging customers to change their passwords and enable multi-factor authentication in response to the breach, which may have exposed details such as names, phone numbers, and email addresses.

A statement reads:

We recently became aware of unauthorized access to certain [parts] of our information technology systems hosted by a third-party cloud provider. We have no indication that there has been unauthorized activity with respect to any user’s account.

We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed. This data may include your name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted). The data may also include your address and phone number if you have provided that to us.

The breach notification email sent to customers (extract above), in which Ubiquiti goes on to apologize for any inconvenience, has been reposted on a community forum. The vendor confirmed the authenticity of this message through its official Twitter feed.

The incident, first reported by technology journalist Brian Krebs, illustrates how the reliance of many technology firms on third party suppliers leaves them at heightened risk of attack.

The Daily Swig approached Ubiquiti for further comment on the incident.

James McQuiggan, security awareness advocate at KnowBe4, said: “Organizations need to increase their third-party access procedures, training, and technology to reduce the risk of attack by a third-party vendor.”

“Cybercriminals will continue to leverage attacks against smaller organizations to work their way into larger ones that are already authorizing the users,” he added.

YOU MAY ALSO LIKE Data breach at New Zealand’s Reserve Bank after third-party service hack