Digital Ocean springs a leak: Miscreant exploits hole to peep on unlucky customers’ billing details for two weeks

Digital Ocean on Wednesday said someone was able to snoop on some of its cloud subscribers’ billing information via a now-patched vulnerability.

In an email to affected customers seen by The Register – and full disclosure, your Register vulture is a customer – the rent-a-server biz said that two days ago it confirmed a miscreant had gained unauthorized access to some people’s account records. The sneak was able to glimpse the data between April 9 and 22 via an undisclosed security hole that Digital Ocean said it has now closed up.

Someone drowning in paperwork

Open-source devs drown in DigitalOcean’s latest tsunami of pull-request spam that is Hacktoberfest

READ MORE

The intruder was able to see “a small percentage” of users’ names, billing addresses, payment card expiry dates, the last four digits of those cards, and the names of the cards’ banks. Digital Ocean stressed it does not store full card numbers, and that accounts were left untouched, and passwords and access tokens were not accessed.

The infrastructure-as-a-service outfit added that it has alerted the “relevant” data privacy watchdogs, and promised to install extra measures to prevent future data leaks like this.

We’ve asked Digital Ocean to reveal which authorities exactly it has spoken to, and if it plans to shed any more light on the flaw and why apparently so few people – one per cent of its customer base, a spokesperson told TechCrunch – were affected.

We say Digital Ocean is an IaaS provider, though the $320m-a-year corp has dipped its toes into the PaaS waters lately. It IPO’d in March, which was not a happy affair: it ended its first day on the stock market trading at $43.33 a share after opening for $47. It currently trades for $44.06. ®

READ MORE HERE