DigitalOcean, a popular web-hosting platform, has started informing customers about a data leak that “unintentionally” exposed personally identifiable information online.
According to a notification sent to DigitalOcean users, the incident is linked to a 2018 company-owned document that was publicly available for viewing without requiring any authentication.
“This document contained your email address and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018,” the letter reads. An investigation by the provider’s security team found the internal document was “accessed at least 15 times” before it was taken down.
No official statement was released, but company officials have commented on the incident, saying that “there was no malicious access to that document” and “less than 1% of our customer base was impacted.”
“The only PII included in the file was account name and email address,” the company added. “This was not related to a malicious act to access our systems.”
DigitalOcean takes full responsibility for the data leak, and promises to undergo extensive employee training for assuring customer data protection and preventing future incidents.
The notification letter also reassures users that “your Droplets and other systems you run on our platform have not been impacted by this mistake, we are committed to being transparent anytime we feel your data has been used in a way that does not align with our values.”
While there is no indication of foul play or a targeted attack, changing your account password and enabling two-factor authentication is never a bad idea. Companies should start focusing on protecting customer data, regardless of the type of information they handle. Even with limited information, bad actors can still formulate phishing campaigns to steal additional information or financial details.