Cyber Incident Victim: DigitalOcean

DigitalOcean notified customers of a data breach involving unauthorized access to billing information between April 9 and April 22, 2021. The cloud infrastructure company disclosed that an individual exploited a flaw in its systems to access billing profiles over this two-week period. Exposed data included customer billing names, addresses, the last four digits of payment cards, card expiration dates, and the names of card-issuing banks. DigitalOcean confirmed customer accounts themselves were not compromised, with passwords and account tokens remaining secure. The company fixed the vulnerability shortly after discovery and implemented additional security monitoring on affected accounts. An email sent to customers on April 28, 2021, stated that data protection authorities had been notified, though specific regulatory bodies were not named. DigitalOcean’s Chief Security Officer Tyler Healy later revealed approximately 1% of billing profiles were impacted but declined to disclose how the vulnerability was discovered or provide technical details about the flaw.

The breach exposed limited payment card information but did not compromise full card numbers or enable direct financial fraud. DigitalOcean responded by expanding security measures to prevent similar incidents, though specific enhancements were not detailed. Potential GDPR implications existed for European customers, with possible fines reaching 4% of global revenue, though no enforcement actions were confirmed in initial reports. The incident occurred against a backdrop of financial changes for DigitalOcean, which had recently raised $100 million in debt followed by a $50 million funding round after staff layoffs in 2020. The company had completed its initial public offering in March 2021, raising $775 million weeks before the breach window opened. DigitalOcean’s public statements emphasized containment of the exposure while maintaining that core account security mechanisms remained intact throughout the incident.