Connect with us

Hi, what are you looking for?



Former Employee Accused of Being Behind Ubiquiti Hack

The hacker attack disclosed by Ubiquiti in January 2021 was actually conducted by a former employee, according to the Justice Department, which announced charges against the individual on Wednesday.

The hacker attack disclosed by Ubiquiti in January 2021 was actually conducted by a former employee, according to the Justice Department, which announced charges against the individual on Wednesday.

The US-based communications and IoT device maker informed customers in January that it had suffered a data breach related to a cloud services provider. The company said at the time that it had no evidence of user data being compromised, but couldn’t definitively rule it out, so it advised customers to change their password as a precaution.

In late March, someone claiming to be an Ubiquiti employee involved in investigating the incident contacted cybersecurity blogger Brian Krebs, claiming that the company had downplayed the impact of what they described as a “catastrophic” breach. This led to a significant drop in the value of Ubiquiti shares.

The source told Krebs at the time that the attacker had gained root access to all Ubiquiti AWS accounts, including credentials and other sensitive information.

On Wednesday, the Justice Department announced charges against a former Ubiquiti employee and shared information on what allegedly happened between December 2020 and March 2021.

According to the FBI, 36-year-old Nickolas Sharp of Portland, Oregon, who had been employed by Ubiquiti since August 2018, was behind the “hack.” He apparently simply misused his administrative access to download gigabytes of confidential data from the company’s GitHub and AWS servers.

Sharp was assigned to the team investigating the apparent breach and, in January, he sent Ubiquiti a ransom note claiming to be an anonymous hacker and threatening to leak the stolen information unless he was paid 50 bitcoin — worth roughly $1.9 million at the time.

Authorities also claim that Sharp was the “whistleblower” who reached out to Brian Krebs in late March to claim that the breach had been more serious than Ubiquiti admitted.

Advertisement. Scroll to continue reading.

Before Krebs published his article in late March, the FBI executed a search warrant at Sharp’s home in Portland. The FBI had identified him based on an IP address and a PayPal account. The unauthorized access to Ubiquiti systems was done though the Surfshark VPN, but the Surfshark subscription had been purchased with a PayPal account registered to Sharp. In addition, at one point, an internet outage at Sharp’s home caused a problem with Surfshark, which resulted in his real IP address being used to access Ubiquiti systems.

When Ubiquiti issued a statement in response to Krebs’ article, the company said it had evidence that someone with “intricate knowledge” of its cloud infrastructure had been the perpetrator.

Sharp has been charged with transmitting a program to a protected computer that intentionally caused damage, transmission of an interstate threat, wire fraud, and making false statements to the FBI. Each of these charges carry a maximum prison sentence ranging between two and 20 years.

It’s worth noting that Ubiquity is not actually named in the DoJ’s indictment or press release, but it’s clear that the charges are related to the Ubiquiti hack. 

Related: Former Cisco Employee Sentenced to Prison for Webex Hack

Related: Judge Rejects Ex-CIA Worker’s Try to Dismiss Hacking Charges

Related: Former Palo Alto Networks Employee Charged With Insider Trading

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.