DigitalOcean Data Breach

LeeLee OG
edited April 28 in General

Just saw this on Twitter. Corrected, grabbed the wrong Tweet.

DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned.

The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.

The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank. The company said that customers’ DigitalOcean accounts were “not accessed,” and passwords and account tokens were “not involved” in this breach.

“To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future,” the email said.

DigitalOcean said it fixed the flaw and notified data protection authorities, but it’s not clear what the apparent flaw was that put customer billing information at risk.

In a statement, DigitalOcean’s security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

Thanked by (3)lentro mikho Mason

Comments

  • @Lee said: The email said customer billing names and addresses were accessed

    ..and people wonder why I only include a partial address during signups. :anguished:

    lowendinfo.com is expired.

  • @AlwaysSkint said:
    ..and people wonder why I only include a partial address during signups. :anguished:

    I put down my full address.
    It's public:

    yoursunny summer host, Inc
    123 Elf Street
    Amundsen-Scott South Pole Station 96598
    Antarctica

    However, I don't have a Digital Ocean account.
    I only use Scaleway (paid) and Oracle Cloud (free) for hourly.

    Thanked by (1)AlwaysSkint

    The end is nigh for Ubuntu 16.04. Providers still offering Ubuntu 16.04 past EOL will be ashamed.

  • vyasvyas OGContent Writer

    @yoursunny said:

    I only use Scaleway (paid) and Oracle Cloud (free) for hourly.

    Does the Oracle give you cookies?

  • mikhomikho AdministratorHosting ProviderOG

    @AlwaysSkint said:

    @Lee said: The email said customer billing names and addresses were accessed

    ..and people wonder why I only include a partial address during signups. :anguished:

    So that is why the Tax Man called me yesterday. .... interesting ....

    Get 4 or more NAT servers (mix/match between packages) and get a 20 % recurring discount. https://clients.mrvm.net

  • alwyzonalwyzon Hosting Provider

    @AlwaysSkint said:
    ..and people wonder why I only include a partial address during signups. :anguished:

    But, you do know that this causes legal/tax troubles to your providers? At least, if they are located inside the European Union. 😟

    Thanked by (1)mikho

    Alwyzon - KVM Virtual Servers in AT and NL starting at 1,80 €/month (excl. VAT)

  • Re: address. AFAIK, it's a legal thing in the UK for businesses to show address details but not private individuals.

    lowendinfo.com is expired.

  • alwyzonalwyzon Hosting Provider
    edited April 29

    @AlwaysSkint said:
    Re: address. AFAIK, it's a legal thing in the UK for businesses to show address details but not private individuals.

    That’s unrelated to what information you have to show publicly on your website; that’s about customer data collected for billing purposes.

    The EU (plus UK, Lichtenstein and Switzerland) requires any eCommerce sale to be documented and archived for tax evasion purposes and puts the burden of verifying the customers billing details onto the seller. The directive is a bit vague, but an auditor will for sure complain that you aren’t verifying those customer details if your invoices are full of obvious fake addresses.

    Alwyzon - KVM Virtual Servers in AT and NL starting at 1,80 €/month (excl. VAT)

  • mikhomikho AdministratorHosting ProviderOG

    @AlwaysSkint said:
    Re: address. AFAIK, it's a legal thing in the UK for businesses to show address details but not private individuals.

    To be able to pay the correct taxes when selling digital goods, I must be able to provide verification of the buyers location.

    Otherwise all EU customers will all be from Luxembourg with a low VAT instead of Swedish VAT.

    It’s different when selling physical goods. Then its local VAT in the country where the company is located.

    Get 4 or more NAT servers (mix/match between packages) and get a 20 % recurring discount. https://clients.mrvm.net

  • Just to be clear (as the point appears to have flown overhead); I do not advocate the use of fake/false addresses - that is not what I suggested, in the slightest.

    lowendinfo.com is expired.

  • @vyas said:
    @yoursunny said:

    I only use Scaleway (paid) and Oracle Cloud (free) for hourly.

    Does the Oracle give you cookies?

    No, the Oracle gives me random bits.

    I know where the cookies are at:


    The end is nigh for Ubuntu 16.04. Providers still offering Ubuntu 16.04 past EOL will be ashamed.

  • That's actually pretty crazy. I'm pretty sure some of these details can be used for fraud or impersonation. I always put in my PO box address whenever I sign up to websites that require my billing information.

Sign In or Register to comment.