Though the hosting company has not yet publicly released a statement, it did has started warning affected customers of the scope of the breach via an email.
According to the breach notification email that affected customers [1, 2] received, the data leak happened due to negligence where DigitalOcean 'unintentionally' left an internal document accessible to the Internet without requiring any password.
"This document contained your email address and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018," the company said in the warning email as shown below.
Upon discovery, a quick digital investigation revealed that the exposed file containing customers' data was accessed by unauthorized third parties at least 15 times before the document was finally taken down.
"Our community is built on trust, so we are taking steps to make sure this doesn't happen again. We will be educating our employees on protecting customer data, establishing new procedures to alert us of potential exposures in a more timely manner, and making configuration changes to prevent future data exposure," the company added.
To be noted, this specific breach neither indicates the DigitalOcean website was compromised, nor the customers' login credentials were leaked to the attackers.
So, if you have an account with the hosting service, you don't have to rush into changing your password. However, the service also offers two-factor authentication that every user must enable to add an extra layer of security to their accounts.
The Hacker New has reached out to DigitalOcean for a comment, and the story will be updated with the response.
Update — A spokesperson for the company confirmed The Hacker News of the incident and shared a statement:
"We had a document that was discovered to be shared publicly and while we feel confident there was no malicious access to that document, we informed our customers regardless for transparency. Less than 1% of our customer base was impacted, and the only PII included in the file was account name and email address.
"This was not related to a malicious act to access our systems. Our customers trust us with their data and we believe that an unintended use of that data, no matter how small, is reason enough to be transparent."