Data breach at DigitalOcean exposes customer billing profiles

Data breach at DigitalOcean exposes customer billing profiles

Cloud infrastructure and web hosting provider DigitalOcean has been affected by a data breach and is informing its customers now. The breach exposed the personal information of a 'small percentage' of customers online.

The firm has told customers that the an unidentified hacker illegally accessed the details associated with the billing profile on their DigitalOcean account.

In an email seen by TechCrunch, DigitalOcean says the hacker accessed the database between the 9th and 22nd April. They compromised the database via an undisclosed security bug, which has since been fixed.

The security breach exposed customers' billing names, addresses, payment card expiry dates, the last four digits of their card and the name of the card-issuing bank.

Looks like @digitalocean had a nasty breach

— tj - one terrifying conversation each week (@adventureloop) April 28, 2021

Customers' DigitalOcean accounts were unaffected, and passwords and account tokens were 'not involved' in the breach. The company does not store customers' full credit card numbers in its database.

In addition to fixing the security flaw, the firm says it has notified relevant data protection authorities about the incident. DigitalOcean also claims to have taken additional security measures to protect user accounts from unauthorised access in future.

When TechCrunch contacted the company for more details about the incident, DigitalOcean's security chief Tyler Healy stated that just 1 per cent of billing profiles were affected. The company did not provide information about how the breach was discovered or which agencies were notified.

The security incident has comes less than a year after a previous security lapse at DigitalOcean, which also exposed details from customers' accounts. That data leak occurred after an internal document, which contained users' personally identifiable information, was mistakenly left available online.

The company said at the time that the document was accessed at least 15 times, but no unauthorised access to impacted customers' accounts was seen as a result.

Back to Top