Nothing says fun like a company describing its own data breach as “catastrophic.” That’s a “c” word you definitely don’t want to hear if you have an account with said company or use its products, and that’s exactly what happened recently to Ubiquiti.
Before we get into it, here’s what you should do right now: Change your Ubiquiti passwords and enable two-factor authentication. If you do nothing else in response to this mess, do that.
Not only should you change your Ubiquiti password and set up two-factor authentication, but you also might want to take a few more serious steps with your Ubiquiti networking gear. As security expert Brian Krebs explains:
“If you have Ubiquiti devices installed and haven’t yet changed the passwords on the devices since Jan. 11 this year, now would be a good time to take care of that.
It might also be a good idea to just delete any profiles you had on these devices, make sure they’re up to date on the latest firmware, and then re-create those profiles with new [and preferably unique] credentials. And seriously consider disabling any remote access on the devices.”
That last bit is key, as the data breach—described to Krebs as “catastrophic” by a unnamed source from within Ubiquiti—allegedly gave the attackers, “root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.”
With that information, attackers would (theoretically) be able to remotely log into Ubiquiti devices. I haven’t seen any evidence that this has actually happened, and Ubiquiti claims that, “no evidence that customer information was accessed, or even targeted.” But, as is always the case in instances like these, I would take these statements with a grain of salt.
The data breach was serious enough for Ubiquiti to send an email to customers on Jan. 11 indicating that they might want to change their passwords and enable 2FA out of an abundance of caution. If the breach was that significant, I’d join others in suggesting that maybe instead of that, Ubiquiti should have forced a reset of all passwords for all accounts.
Unfortunately, it now comes down to which side you believe—the whistleblower, speaking to Krebs, who claims that Ubiquiti has no idea if consumer accounts were accessed because it has no logging set up to determine that, or Ubiquiti itself, which says everything is fine.
While I doubt we’ll ever know the full extent of the issue, I side with the whistleblower, who, unless they were looking to make a killing shorting Ubiquiti’s stock, wouldn’t have much of a reason to lie about such a serious issue. Or, to put it another, way, I’d rather err on the side of, “prepare for the worst” than, “do the bare minimum and risk a nasty surprise.”
Going forward, make sure you’re using whatever mechanisms you can to keep your networking equipment (and any connected accounts) as secure as possible. That means unique passwords for everything, two-factor authentication wherever you can set it up, disabling remote management if you never use it, and doing a thorough search of other security settings you might considering enabling on your specific router/access point/gateway. (Everyone’s network equipment differs, so there might be specific settings turned on by default that you’ll want to explore on your own gear.)
Beyond that, set up a filter or alert in your email that makes it very obvious when your networking gear’s manufacturer sends you an email. I get a lot of email, and it’s possible I might not have even noticed Ubiquiti’s message back when they sent it. Stay on top of this stuff, as it’s the best way to keep yourself, and your home network, safe from unwanted intruders.