DigitalOcean Says Customer Billing Data 'Exposed' by a Security Flaw

DigitalOcean has emailed customers warning of a data breach involving customers' billing data, TechCrunch has learned. From the report: The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has "confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account." The company said the person "gained access to some of your billing account details through a flaw that has been fixed" over a two-week window between April 9 and April 22. The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date, and the name of the card-issuing bank. The company said that customers' DigitalOcean accounts were "not accessed," and passwords and account tokens were "not involved" in this breach. "To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future," the email said.

Hidden in sight.

[Ostracus]

Wondering if virtual card numbers [thebalance.com] would be the solution to this particular problem?

Re:

[kingolis]

Virtual card numbers are a great solution, it only takes a few extra steps. I use them for SiriusXM, and others, so they can't auto-renew.

Re:

[teranine]

"Currently, only two major credit card issuers offer virtual credit card numbers: Citi and Capital One." https://www.thebalance.com/wha... [thebalance.com] Not really a solution for everyone at the moment.

Re:Hidden in sight.

[tlhIngan]

Another way is to use Paypal (yeah, yeah). You can cancel subscriptions through Paypal if the company you used it with refuses to cancel - you just break the authorized payment link which will cause the renewal to fail.

Sites only get limited information in this case - and the token can't be used for other purposes.

Re:

[sizzlinkitty]

Digital Ocean doesn't support privacy virtual cards.

Re:

[xalqor]

I'd prefer something like deposit-only accounts. It's where you can just give out your number to people, put it on your homepage, business card, whatever, and people can send you money that way. You could have more than one of these so you can easily group related deposits -- your paycheck, your patreon or open collective, etc.

Like a cryptocurrency address, it's a one way trip -- people can send money there but not withdraw. But unlike a cryptocurrency address, it would be operated by your bank, and it can

A serious breach

[Klaxton]

Even that limited amount of information is enough to significantly enable identity theft. It will be sold in bulk to the black market shortly. This all the more incentive to spoof your own identity where possible.

Clouds hide rocks

[WoodstockJeff]

Pilots all know this. Apparently, lots of companies don't, even when they should.

I am too literal

[BrainJunkie]

to be extra careful, we have implemented additional security monitoring on your account

One of the reasons I will never climb the corporate ladder is that I could never write or approve this as a response to a data breach. Details are light on what exactly happened, but almost certainly it isn't the customer accounts they need to monitor it is their own back end systems where the account data are stored.

And "extra careful" is meaningless. Exactly how careful were they being before the breach? It'd be a hassle to change that default password careful, or lets deploy security patches on only Mondays careful or what?

Re:

[paulzeye]

One reason to go after accounts at providers like this is to spin up crypto mining machines. I assume they mean they are looking for this type of activity when monitoring customer accounts, but yes agree they need to monitor their back end systems as well.

Difficult news after going public a few months ago

[kriston]

This is difficult news after going public a couple months ago.