A Ubiquiti NanoStation Wireless Bridge seen in operation. Ubiquiti experienced a breach that may have exposed customer data. (KN6KS/CC BY-NC 2.0)

IoT networking device vendor Ubiquiti experienced a breach of a web portal it uses to manage remote devices and as a support portal.

The web servers stored information pertaining to user profiles for the account.ui.com portal that Ubiquiti makes available to customers who bought one of its router or webcam products, a ZDNet report said.

The company said in a statement it only recently became aware of the breach. And while there’s no evidence of access to any databases that host user data, Ubiquiti is not certain whether the breach exposed user data, such as names, addresses, phone numbers, email addresses and one-way encrypted passwords to user accounts.

As a precaution, Ubiquiti said, users should change their passwords on the company’s web portal and on any website where they may have used the same user ID or password. Ubiquiti also recommend that users enable two-factor authentication on all accounts they have with the company.

But advising customers to rotate passwords, including any other internet services where the same passwords have been used, is a common poor practice that often results in data breaches escalating further, according to Joseph Carson, chief security scientist and advisory chief information security officer at Thycotic. 

“The response has been mixed as the notification did not provide much detail on what a good password is, or advice on using a password manager to help increase the security of such privileged access,” Carson said. “The scary thought is whether or not this unauthorized access has allowed attackers access to customer’s networks, including security camera footage.”

Companies such as Ubiquiti that focus on access and security should demand multi-factor authentication by default, Carson added.

With the passwords to IoT devices and the system to manage them, Craig Lurey, co-founder and chief technology officer of Keeper Security, said cybercriminals could take a number of malicious actions, including:

  • Logging into the IoT devices and use them to launch a DDoS attack.
  • Logging into the IoT devices and use them for real-world crimes. For example, access to webcams can be used for cyberspying/cyberstalking, and bad actors can access smartlocks to conduct burglaries.
  • Using the stolen passwords in brute-force attacks on other websites. Password reuse is common, and in fact, in its email, Ubiquiti instructed customers to reset passwords that they’re reusing elsewhere.