Digital Privacy

DigitalOcean admits data breach exposed customers’ billing details

DigitalOcean, the popular cloud-hosting provider, has told some of its customers that their billing details were exposed due to what it described as a “flaw.”

In an email sent out to affected users, DigitalOcean explained that an unauthorised party had managed to exploit the flaw to gain access to billing information between April 9 and April 22, 2021.

The following information from profiles was accessed:

  • Billing name
  • Billing address
  • Payment card expiration date
  • Last four digitals of user’s payment card
  • Payment card bank name

The company was at pains to underline that it does not store users’ fill payment card numbers and so they were not exposed. In addition, DigitalOcean says that it has fixed the flaw that the hacker exploited, and informed data protection authorities about the breach.

As reported by TechCrunch, a statement released by DigitalOcean claimed that only 1% of billing profiles had been impacted by the breach. (A few years ago, the company was claiming to have one million users – which would put the number of exposed accounts at north of 10,000.)

It’s not the first time that DigitalOcean has suffered a data breach that exposed customer information.

In May 2020, for instance, the company advised that a DigitalOcean-owned document from 2018 containing customer details was “unintentionally made available via a public link.”

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.