According to the breach notification email sent to affected customers, the data leak took place when a DigitalOcean-owned document from 2018 was unintentionally made accessible on the internet without password protection. “This document contained your email address and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018,” the company said in the breach notification email. Upon discovery and subsequent investigation, DigitalOcean found that the exposed internal document containing customers’ data was accessed by unauthorized third parties at least 15 times before it was taken offline. However, the company said that it is taking measures to prevent similar incidents in the future. “Our community is built on trust, so we are taking steps to make sure this doesn’t happen again. We will be educating our employees on protecting customer data, establishing new procedures to alert us of potential exposures in a more timely manner, and making configuration changes to prevent future data exposure,” the company added. According to DigitalOcean, there is no evidence of unauthorized access to affected customers’ servers as a result of the breach. Also, the internal document only contained details for less than 1% of the company’s total customer base, it asserts. “We had a document that was discovered to be shared publicly and while we feel confident there was no malicious access to that document, we informed our customers regardless for transparency. Less than 1% of our customer base was impacted, and the only PII included in the file was account name and email address,” a spokesperson for DigitalOcean told The Hacker News. “This was not related to a malicious act to access our systems. Our customers trust us with their data and we believe that an unintended use of that data, no matter how small, is reason enough to be transparent.” Here’s a full preview of the breach notification email DigitalOcean is sending affected customers:
— Lucas Leal (@lucaslealdev) May 8, 2020