Data Breach at Digital Oceans Leaves Customer Billing Data Exposed


Digital Ocean, a cloud solutions provider, informs certain clients that the billing information they receive may indeed be breached as someone has exploited a flaw inside the central database of the company. 

US - Based Digital Ocean, Inc. is a supplier of cloud computing with global data centers located in New York City. Digital Ocean offers cloud services for developers which help build and scale applications distributed across multiple computers concurrently. 

Digital Ocean stated in an email to clients that the unauthorized access took place between 9th and 22nd April 2021 but was only "confirmed" seemingly on 26 April. 

“An unauthorized user gained access to some of your billing account details through a flaw that has been fixed,” the company told customers. Digital Ocean affirms that only a "small percentage" of its users have been affected and therefore no intervention is necessary. 

The billing information leaked includes the name, address, expiry date of the payment card, last four digits of the payment card, and the name of the bank issuing the card. The organization pointed out that the entire credit card details were not stored as this kind of information was not revealed. 

“According to our logs approximately 1% of billing profiles were impacted,” Tyler Healy, VP of security at Digital Ocean, told Security Week in an emailed statement. “This issue has been fixed and we have informed the impacted users and notified the relevant data protection authorities.”

Over one million programmers from each country in the world use its resources on its web portal added, Digital Ocean. 

Last year the company announced to its customers that some of their information had been disclosed after a document file had been published accidentally, though at that point it was sure that the documentation was not malicious. 

Furthermore, the email reads as “yesterday we learned that a digital ocean owned document from 2018 was unintentionally made available via a public link. This document contained your email addresses and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018. After a detailed review by our security team, we identified it was accessed at least 5 times before the document was taken down.” 

They also affirmed that they will be teaching their employees how to protect customer data, establish new protocols to warn everyone timelier about possible exposures, and make adjustments in specification to avoid future exposure of data.