Shares of New York City-based IoT device maker Ubiquiti (NYSE: UI) fell significantly this week following a report claiming that the recently disclosed data breach was “catastrophic” and that its impact was downplayed.
Ubiquiti informed customers in January that it had detected unauthorized access to some IT systems hosted by an unnamed third-party cloud provider. The company said at the time that it had found no evidence user data was compromised, but it could not rule it out so it instructed customers to change their passwords.
Cybersecurity blogger Brian Krebs reported on Tuesday, March 30, that he learned from someone involved in the response to the breach that Ubiquiti “massively downplayed” an incident that was actually “catastrophic,” in an effort to minimize impact on its value on the stock market.
According to Krebs’ source, the attacker gained access to Ubiquiti’s AWS servers and then attempted to extort 50 bitcoin (worth nearly $3 million) from the company to keep quiet about the hack.
The attacker obtained privileged credentials from an Ubiquiti employee’s LastPass account and “gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies,” according to the source. The hacker allegedly could have remotely authenticated to Ubiquiti cloud-based devices.
According to Krebs, Ubiquiti discovered the breach in late December 2020 and later removed a couple of backdoors planted by the attacker — the firm reportedly did not engage with them. The company then started changing employee credentials, and on January 11 it informed customers about an incident and instructed them to change their passwords.
Following Krebs’ report, Ubiquiti issued a statement on Wednesday to provide more information, but noted that it cannot comment further due to an ongoing law enforcement investigation.
“In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems,” the company stated. “These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.”
Krebs’ source, however, claimed that Ubiquiti couldn’t have found any evidence of access to customer data because it didn’t actually have any access logs that it could check.
When Ubiquiti disclosed the security incident in January, it only had a small impact on its stock and the value of its shares has increased significantly since, from roughly $250 per share on January 12 to $350 per share on March 30.
Now, following news that the breach may have been bigger than the company led customers and investors to believe, Ubiquiti shares are down to $290 at the time of publishing.