Ubiquiti users told to change their passwords following security breach

• Breach occurred at third-party cloud provider used by IoT device manufacturer
• Email addresses, names, and hashed and salted passwords exposed

IoT device vendor Ubiquiti has told customers that they should change their passwords after a security breach left user details exposed.

In an email sent to users, router and access point manufacturer Ubiquiti explained that it had recently become aware of a breach at a “third party cloud provider” used by the firm to host some of its infrastructure.

Data that may have been accessed includes:

• Customers’ email addresses
• Customers’ names
• Customers’ hashed and salted passwords
• Customers’ addresses and phone numbers (where provided)

What isn’t made clear in the email advisory is whether the exposed data was stumbled across by a security researcher who then informed Ubiquiti, or whether it was accessed by someone with malice in mind.

If malicious hackers were able to use the information to access the profiles of Ubiquiti customers, they would be able to change the settings of the customers’ IoT devices remotely, as well as access the support portal. And if a hacker were not able to determine account passwords from the breached data they would still have been able to use the leaked contact details to target Ubiquiti customers with scams and phishing attacks.

Ubiquiti says that it has not seen any evidence of unauthorised account access as a result of the incident.

However, the company advises that, as a precaution, customers should change their account passwords, and ensure that the same password is not being used anywhere else on the internet.

Far too many people still use the same password in multiple places online, making it easier for hackers to leverage one breach to break into accounts elsewhere on the net.

In addition, Ubiquiti recommends that customers enable two-factor authentication (2FA) for an additional layer of protection.

Ideally, Ubiquiti might have done well to reconsider how it chose to communicate the breach to its customers.

In the advisory it has sent to customers Ubiquiti encourages them to click on buttons within the email to change their passwords and enable 2FA, rather than recommend they visit the account.ui.com website. This is a trick often used in phishing emails to trick unsuspecting users into entering their login credentials on bogus lookalike websites.

Under the circumstances, might have done well to make their announcement a little less phishy-looking, and reduce the concern of their users.