Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Ubiquiti Shares Dive After Reportedly Downplaying ‘Catastrophic’ Data Breach

Shares of New York City-based IoT device maker Ubiquiti (NYSE: UI) fell significantly this week following a report claiming that the recently disclosed data breach was “catastrophic” and that its impact was downplayed.

Shares of New York City-based IoT device maker Ubiquiti (NYSE: UI) fell significantly this week following a report claiming that the recently disclosed data breach was “catastrophic” and that its impact was downplayed.

Ubiquiti informed customers in January that it had detected unauthorized access to some IT systems hosted by an unnamed third-party cloud provider. The company said at the time that it had found no evidence user data was compromised, but it could not rule it out so it instructed customers to change their passwords.

Cybersecurity blogger Brian Krebs reported on Tuesday, March 30, that he learned from someone involved in the response to the breach that Ubiquiti “massively downplayed” an incident that was actually “catastrophic,” in an effort to minimize impact on its value on the stock market.

According to Krebs’ source, the attacker gained access to Ubiquiti’s AWS servers and then attempted to extort 50 bitcoin (worth nearly $3 million) from the company to keep quiet about the hack.

The attacker obtained privileged credentials from an Ubiquiti employee’s LastPass account and “gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies,” according to the source. The hacker allegedly could have remotely authenticated to Ubiquiti cloud-based devices.

According to Krebs, Ubiquiti discovered the breach in late December 2020 and later removed a couple of backdoors planted by the attacker — the firm reportedly did not engage with them. The company then started changing employee credentials, and on January 11 it informed customers about an incident and instructed them to change their passwords.

Following Krebs’ report, Ubiquiti issued a statement on Wednesday to provide more information, but noted that it cannot comment further due to an ongoing law enforcement investigation.

“In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems,” the company stated. “These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.”

Krebs’ source, however, claimed that Ubiquiti couldn’t have found any evidence of access to customer data because it didn’t actually have any access logs that it could check.

When Ubiquiti disclosed the security incident in January, it only had a small impact on its stock and the value of its shares has increased significantly since, from roughly $250 per share on January 12 to $350 per share on March 30.

Now, following news that the breach may have been bigger than the company led customers and investors to believe, Ubiquiti shares are down to $290 at the time of publishing.

At least two law firms are investigating whether Ubiquiti violated federal securities laws and are urging the company’s investors to contact them.

Related: Class Action Lawsuit Filed Against Marriott Over New Data Breach

Related: Massachusetts, Indiana Settle With Equifax Over 2017 Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.