Whistleblower: Ubiquiti Breach “Catastrophic”

Ubiquiti reported a breach on January 11th involving a third-party cloud provider, but a whistleblower has now come forward claiming the breach was far more severe than initially reported. The incident potentially impacts Ubiquiti’s 85+ million devices worldwide.

What the Whistleblower Revealed

According to the source who spoke to Krebs on Security, the hackers obtained:

Full read/write access to Ubiquiti databases at Amazon Web Services (AWS)
Privileged credentials from a Ubiquiti IT employee’s LastPass account
Root administrator access to all AWS accounts
Access to:
- All S3 data buckets
- All application logs
- All databases
- User database credentials
- Secrets to forge single sign-on (SSO) cookies

Critical Security Failure

The whistleblower revealed a critical security oversight:

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed”

This lack of proper logging means Ubiquiti cannot determine what data was or wasn’t accessed by the attackers.

Global Impact

The breach potentially allowed remote authentication of Ubiquiti cloud-based devices globally. With over 85 million devices deployed in more than 200 countries, the scale of potential impact is massive.

Immediate Actions for Ubiquiti Users

If you’re using Ubiquiti equipment:

Change all passwords immediately
Enable two-factor authentication
Review your logs for suspicious activity
Consider disconnecting cloud management features
Monitor your networks closely

Key Takeaways

This incident highlights that:

Companies must be transparent about breaches
Proper logging is non-negotiable for security
Cloud infrastructure requires the same security rigor as on-premises systems
Even established networking companies can suffer catastrophic security failures

The whistleblower alleges that Ubiquiti downplayed a “catastrophic” security incident, potentially putting millions of devices and networks at risk worldwide.