Skip to main content

IaaS provider DigitalOcean finds itself back in security trouble

An Intel solid state disk drive.

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Fast-growing Infrastructure-as-a-Service (IaaS) provider DigitalOcean is updating its code to make sure its fast storage doesn’t inadvertently expose one customer’s data to any other customer.

The issue arose last night, when Jeffrey Paul, a self-described hacker and researcher based in Berlin, took to GitHub to point out that DigitalOcean does not automatically wipe the data off of fast solid-state disk (SSD) drives used for storage alongside DigitalOcean’s virtual servers. Beyond that, Paul showed how it was possible for the next person who uses a given DigitalOcean virtual server to pull down some data from the previous customer.

“I was able to recover someone else’s webserver logs from yesterday,” Paul wrote.

Within the capabilities of the application programming interface (API) that developers can use to control their assets on DigitalOcean’s cloud, it’s possible to instruct DigitalOcean to completely clean off the data on a droplet, or virtual server, once a customer has finished using it. The “scrub_data” command is “optional,” according to DigitalOcean’s API documentation. It “will strictly write 0’s to your prior partition to ensure that all data is completely erased,” the documentation states.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

In the GitHub thread, some developers expressed that they would like to see the storage scrubbed by default, not just whenever a developer instructs DigitalOcean to do it.

Today DigitalOcean cofounder Moisey Uretsky published a blog post in response to the issues and explained how the company’s policies have changed this year. DigitalOcean implementing storage scrubbing, although as the company became more popular, it decided that scrubbing would not be the default in order to optimize performance. This, Uretsky wrote, was a mistake.

Another mistake was not letting customers know about changes to the API, Uretsky wrote.

And so now the company is in the process of updating its code, he explained:

Our first and immediate update is to ensure that a clean system is provided during creates, regardless of what method was taken for initiating a destroy. Engineers are updating the code base right now to ensure that will be the default behavior, and we will provide another notice when that code is live.

Uretsky did not say when exactly the changes will be implemented.

The scramble comes as the company is growing fast in the public cloud market — faster than major player Amazon Web Services, by one metric — and needs to look reliable.

This isn’t the first time DigitalOcean has dealt with security concerns. A similar issue over erasing all data surfaced in April. The company announced a resolution within hours. Now the company has more work to do to prove its cloud is secure.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.