Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Digital Ocean, sharing customer data?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Digital Ocean, sharing customer data?

RaymiiRaymii Member
edited April 2013 in General

http://www.wired.com/wiredenterprise/2013/04/digitalocean/

New York startup DigitalOcean says that its cloud server platform may be leaking data between its customers.

The company aims to fix this problem, but the snafu preys on many of the fears that so often prevent people from moving to cloud services — shared online services that provide instant access to computing resources, including processing power and storage space.

A low-cost competitor to giants such as RackSpace and Amazon, DigitalOcean sells cheap computing power to web developers who want to get their sites up and running for as little as $5 per month. But it turns out that some of those customers — those who were buying the $40 per month or $80 per month plans, for example — aren’t necessarily getting their data wiped when they cancel their service. And some of that data is viewable to other customers.

Kenneth White stumbled across several gigabytes of someone else’s data when he was noodling around on DigitalOcean’s service last week. White, who is chief of biomedical informatics with Social and Scientific Systems, found e-mail addresses, web links, website code and even strings that look like usernames and passwords — things like 1234qwe and 1234567passwd.

Wondering if it was a widespread issue, he spun up a few new virtual machines and found even more unerased data. In total, he found nearly 18 GB of data using the Linux command: cat /dev/vda | strings > /dev/shm/dump.txt. Then, on March 27, he told the company what was happening.

When contacted today by Wired, DigitalOcean CEO Ben Uretsky said his company would roll out a fix within the next 24 hours. Founded just 18 months ago, DigitalOcean says it has set up nearly 140,000 cloud servers.

The problem started in mid-January, when DigitalOcean introduced a new solid state drive storage service, Uretsky says. “The code that wipes the data — that securely deletes the data — was not being activated under the new SSD storage plans,” he says.

But he stressed that only a small percentage of customers — those who have a 4-GB or larger CPU memory plan — might have had their data exposed. That amounts to a maximum of about 3 percent of the company’s customer base, though even fewer are likely affected, Uretsky says. The data White uncovered was from a company that used one of these larger plans and then did not erase its data when it terminated its contract.

Smaller-scale users — those with 1-GB or 2-GB plans, for example — use a different type of storage technology that automatically wipes their data when they close out their accounts, he says.

That’s cold comfort for White. He says that the lesson here is to verify your cloud provider’s security yourself. “I’m just shocked that in 2013 we’re seeing this,” he says. “Formatting the drive before I get it; yeah that would be good.”

Update

DigitalOcean now says that it has resolved the issue.

How do other VPS providers handle cancelled accounts? Do you wipe afterwards?

Remember, it is wired...

Comments

This discussion has been closed.