DigitalOcean Data Breach
Just saw this on Twitter. Corrected, grabbed the wrong Tweet.
DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned.
The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.
The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank. The company said that customers’ DigitalOcean accounts were “not accessed,” and passwords and account tokens were “not involved” in this breach.
“To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future,” the email said.
DigitalOcean said it fixed the flaw and notified data protection authorities, but it’s not clear what the apparent flaw was that put customer billing information at risk.
In a statement, DigitalOcean’s security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.
Comments
..and people wonder why I only include a partial address during signups.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
I put down my full address.
It's public:
yoursunny summer host, Inc
123 Elf Street
Amundsen-Scott South Pole Station 96598
Antarctica
However, I don't have a Digital Ocean account.
I only use Scaleway (paid) and Oracle Cloud (free) for hourly.
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
@yoursunny said:
Does the Oracle give you cookies?
blog | exploring visually |
So that is why the Tax Man called me yesterday. .... interesting ....
“Technology is best when it brings people together.” – Matt Mullenweg
But, you do know that this causes legal/tax troubles to your providers? At least, if they are located inside the European Union. 😟
Alwyzon - Virtual Servers in Austria starting at 4,49 €/month (excl. VAT)
Re: address. AFAIK, it's a legal thing in the UK for businesses to show address details but not private individuals.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
That’s unrelated to what information you have to show publicly on your website; that’s about customer data collected for billing purposes.
The EU (plus UK, Lichtenstein and Switzerland) requires any eCommerce sale to be documented and archived for tax evasion purposes and puts the burden of verifying the customers billing details onto the seller. The directive is a bit vague, but an auditor will for sure complain that you aren’t verifying those customer details if your invoices are full of obvious fake addresses.
Alwyzon - Virtual Servers in Austria starting at 4,49 €/month (excl. VAT)
To be able to pay the correct taxes when selling digital goods, I must be able to provide verification of the buyers location.
Otherwise all EU customers will all be from Luxembourg with a low VAT instead of Swedish VAT.
It’s different when selling physical goods. Then its local VAT in the country where the company is located.
“Technology is best when it brings people together.” – Matt Mullenweg
Just to be clear (as the point appears to have flown overhead); I do not advocate the use of fake/false addresses - that is not what I suggested, in the slightest.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
No, the Oracle gives me random bits.
I know where the cookies are at:
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
That's actually pretty crazy. I'm pretty sure some of these details can be used for fraud or impersonation. I always put in my PO box address whenever I sign up to websites that require my billing information.
I am a representative of Advin Servers
How am I only learning about this now... I have a DO account and same as most other people here I never give out my full address. I'm not buying anything that requires physical shipping so they have no use for my exact address.
FrogeHost
This..
and this..
(Though I prefer things to be posted rather than shipped, as it takes too long by sea. )
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)