DigitalOcean Data Breach

LeeLee OG
edited April 2021 in General

Just saw this on Twitter. Corrected, grabbed the wrong Tweet.

DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned.

The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.

The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank. The company said that customers’ DigitalOcean accounts were “not accessed,” and passwords and account tokens were “not involved” in this breach.

“To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future,” the email said.

DigitalOcean said it fixed the flaw and notified data protection authorities, but it’s not clear what the apparent flaw was that put customer billing information at risk.

In a statement, DigitalOcean’s security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

Thanked by (3)lentro mikho Mason

Comments

  • @Lee said: The email said customer billing names and addresses were accessed

    ..and people wonder why I only include a partial address during signups. :anguished:

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • @AlwaysSkint said:
    ..and people wonder why I only include a partial address during signups. :anguished:

    I put down my full address.
    It's public:

    yoursunny summer host, Inc
    123 Elf Street
    Amundsen-Scott South Pole Station 96598
    Antarctica

    However, I don't have a Digital Ocean account.
    I only use Scaleway (paid) and Oracle Cloud (free) for hourly.

    Thanked by (1)AlwaysSkint

    ServerFactory aff best VPS; HostBrr aff best storage.

  • @yoursunny said:

    I only use Scaleway (paid) and Oracle Cloud (free) for hourly.

    Does the Oracle give you cookies?

  • mikhomikho AdministratorOG

    @AlwaysSkint said:

    @Lee said: The email said customer billing names and addresses were accessed

    ..and people wonder why I only include a partial address during signups. :anguished:

    So that is why the Tax Man called me yesterday. .... interesting ....

    “Technology is best when it brings people together.” – Matt Mullenweg

  • alwyzonalwyzon Hosting Provider

    @AlwaysSkint said:
    ..and people wonder why I only include a partial address during signups. :anguished:

    But, you do know that this causes legal/tax troubles to your providers? At least, if they are located inside the European Union. 😟

    Thanked by (1)mikho

    Alwyzon - Virtual Servers in Austria starting at 4,49 €/month (excl. VAT)

  • Re: address. AFAIK, it's a legal thing in the UK for businesses to show address details but not private individuals.

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • alwyzonalwyzon Hosting Provider
    edited April 2021

    @AlwaysSkint said:
    Re: address. AFAIK, it's a legal thing in the UK for businesses to show address details but not private individuals.

    That’s unrelated to what information you have to show publicly on your website; that’s about customer data collected for billing purposes.

    The EU (plus UK, Lichtenstein and Switzerland) requires any eCommerce sale to be documented and archived for tax evasion purposes and puts the burden of verifying the customers billing details onto the seller. The directive is a bit vague, but an auditor will for sure complain that you aren’t verifying those customer details if your invoices are full of obvious fake addresses.

    Alwyzon - Virtual Servers in Austria starting at 4,49 €/month (excl. VAT)

  • mikhomikho AdministratorOG

    @AlwaysSkint said:
    Re: address. AFAIK, it's a legal thing in the UK for businesses to show address details but not private individuals.

    To be able to pay the correct taxes when selling digital goods, I must be able to provide verification of the buyers location.

    Otherwise all EU customers will all be from Luxembourg with a low VAT instead of Swedish VAT.

    It’s different when selling physical goods. Then its local VAT in the country where the company is located.

    “Technology is best when it brings people together.” – Matt Mullenweg

  • Just to be clear (as the point appears to have flown overhead); I do not advocate the use of fake/false addresses - that is not what I suggested, in the slightest.

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • @vyas said:
    @yoursunny said:

    I only use Scaleway (paid) and Oracle Cloud (free) for hourly.

    Does the Oracle give you cookies?

    No, the Oracle gives me random bits.

    I know where the cookies are at:


    ServerFactory aff best VPS; HostBrr aff best storage.

  • AdvinAdvin Hosting Provider

    That's actually pretty crazy. I'm pretty sure some of these details can be used for fraud or impersonation. I always put in my PO box address whenever I sign up to websites that require my billing information.

    Thanked by (1)AlwaysSkint

    I am a representative of Advin Servers

  • How am I only learning about this now... I have a DO account and same as most other people here I never give out my full address. I'm not buying anything that requires physical shipping so they have no use for my exact address.

    Thanked by (1)AlwaysSkint
  • This..

    @Advin said: I'm pretty sure some of these details can be used for fraud or impersonation

    and this..

    @froge said: I'm not buying anything that requires physical shipping so they have no use for my exact address.

    (Though I prefer things to be posted rather than shipped, as it takes too long by sea. ;) )

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

Sign In or Register to comment.