Ubiquiti accounts hacked: Users should change their password
from David Wurm 
on January 11, 2021, 21:17 am | 🔥 popular | 10 comments
Ubiquiti is currently informing users to change their account password in the cloud. For example, there was possibly unauthorized access to the IT systems, one writes in an email with the subject “Account Notification”.
The company currently sends out emails to all users with a Ubiquiti account. This will advise you to change your account password and turn on two-factor authentication. If you host your Unifi Controller locally in the network, you shouldn't Prohave problem However, users with a cloud key that does not run in standalone mode do need an account, which could be affected here.
We checked the email and were able to verify that it was a real email from Ubiquiti. Also in Community forum the hint appears. Nevertheless, you should be on the safe side and check the links manually to see whether they really point to "account.ui.com“Or log in directly there.
Change password for other services as well
It is possible that users have lost their name, email address and hashed passwords. If you also have a telephone number and address stored in the account, this could also have been tapped. For security reasons, the company recommends changing the password here to change and also to activate the two-factor authentication.
This is what the email looks like that is currently being sent to users of a Ubiquiti account. (Image: TechnikNews/Screenshot)
As with every hack, it cannot be ruled out whether the passwords could be used by the attackers and it is just as unclear how securely the passwords were actually stored. You should therefore change the password used in the Ubiquiti account as quickly as possible for the other affected services. In general, it is advisable to use a separate password for each service or to acquire a password manager. Two-factor authentication also ensures improved security. We have got why that makes sense in this guide explained.
Relation to the failure at the weekend?
Is this failure in Ubiquiti's cloud services related to the hack? (Image: TechnikNews/Screenshot)
At the weekend, Ubiquiti had to contend with a failure with exactly the cloud services mentioned above, as on the one Status page can be seen. It is not known whether the two incidents are related. But it could be the case. Thanks to BleepinComputer (via Twitter) for this food for thought.
Hi all,
you write that users need an account for a cloud key. I think this information is wrong. I can choose the local variant during installation and deactivate remote support. So I don't need an account.
gruß
Raphael
Hi Raphael,
thanks for the hint! Then I actually heard that wrong from someone. I just did some research myself and there is actually a standalone mode. Sorry, I'll fix the bug.
LG, David from TechnikNews
I received the above mail on my private Gmail, but Ubiquiti doesn't tell me anything, as far as I know I haven't downloaded anything myself or registered anywhere. How can it be that I get such an email?
Hello branka,
could of course be a phishing email, but it doesn't have to be. The best thing to do is to simply check whether you have a Ubiquiti account with the following option:
Go to https://account.ui.com/reset-password and enter your email address. You will then receive a link to reset your password.
If an email arrives, it logically means that you have to have an account there. Then the best thing to do (as recommended in the article) is to change the password right away. If not, simply delete the received email and ignore it.
LG, David from TechnikNews
In my email, which looks like the one shown above, all the links come up https://ui.us8.list-manage.com/track/click?u=…………. How did you verify the authenticity of your email?
Hello Michael,
this is quite common with mass mails or newsletters - it allows the sender to track how many people have opened links in the mail.
The best way to check such emails is by
> The links listed (albeit via tracking links as above) ultimately lead to official pages (in this case .ui.com)
> the sender domain matches the company (in this case @ ubnt.com)
> you check the mail headers + SPF entries manually (but usually the mail provider does this and rejects the mail if something does not fit)
> If you search for this mail on the Internet, in this case you come across our article here or the forum entry from Ubiquiti, as linked above
If you are not sure about such emails, if in doubt you should go directly to the manufacturer's website, as mentioned above in the article.
I hope I was able to provide some clarification!
LG, David from TechnikNews
The lurid title of this article doesn't really fit. No Ubiquiti accounts were hacked.
Hello Olaf, I don't know what else to call the title. There was “unauthorized access to some IT systems from an external cloud provider”. But one is not sure whether the databases have not also been tapped. So it could be that Ubiquiti accounts have been hacked. Passwords will not be changed for no reason.
You are of course right, but I would not have thought of another title or should the article be somehow findable on the Internet.
LG, David from TechnikNews
Hi Olaf,
David is right, it's super annoying that there is no further information in the Unifi community. It would have been easy to set up a corresponding information page. There is only one entry in the community that cannot be commented on.
It wouldn't be a big deal for me eitherproproblem because only the online account at Unifi would be affected and not my local infrastructure BUT for some time now Unifi has been forcing the creation of a superuser with this online account via the controller. I (unfortunately) have the Unifi DM Pro Bought. You can't put it into operation without this account (there is no option to restore a backup in the input window).
Since it is completely non-transparent for the customers what is linked together and how and where the data is ultimately stored or merged, I find this hack quite violent.
gruß
Udo
Hi Udo,
I agree. No more detailed information was given at all, so it could very well be that accounts have been intruded. Even if, of course, Ubiquiti wouldn't say that openly. Of course, something completely different may have happened that has nothing to do with user data. But I think there is a reason why they mention that user data could have been tapped.
This account requirement annoys me also very much!
LG, David from TechnikNews