Personal blog of Yzmir Ramirez

DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned.

The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.

The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank. The company said that customers’ DigitalOcean accounts were “not accessed,” and passwords and account tokens were “not involved” in this breach.

“To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future,” the email said.

DigitalOcean said it fixed the flaw and notified data protection authorities, but it’s not clear what the apparent flaw was that put customer billing information at risk.

In a statement, DigitalOcean’s security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

Companies with customers in Europe are subject to GDPR and can face fines of up to 4% of their global annual revenue.

Last year, the cloud company raised $100 million in new debt, followed by another $50 million round, months after laying off dozens of staff amid concerns about the company’s financial health. In March, the company went public, raising about $775 million in its initial public offering. 

Salesforce, the 20-year-old leader in customer relationship management (CRM) tools, is making a foray into Asia by working with one of the country’s largest tech firms, Alibaba.

Alibaba will be the exclusive provider of Salesforce to enterprise customers in mainland China, Hong Kong, Macau and Taiwan, and Salesforce will become the exclusive enterprise CRM software suite sold by Alibaba, the companies announced on Thursday.

The Chinese internet has for years been dominated by consumer-facing services such as Tencent’s WeChat messenger and Alibaba’s Taobao marketplace, but enterprise software is starting to garner strong interest from businesses and investors. Workflow automation startup Laiye, for example, recently closed a $35 million funding round led by Cathay Innovation, a growth-stage fund that believes “enterprise software is about to grow rapidly” in China.

The partners have something to gain from each other. Alibaba does not have a Salesforce equivalent serving the raft of small-and-medium businesses selling through its e-commerce marketplaces or using its cloud computing services, so the alliance with the American cloud behemoth will fill that gap.

On the other hand, Salesforce will gain sales avenues in China through Alibaba, whose cloud infrastructure and data platform will help the American firm “offer localized solutions and better serve its multinational customers,” said Ken Shen, vice president of Alibaba Cloud Intelligence, in a statement.

“More and more of our multinational customers are asking us to support them wherever they do business around the world. That’s why today Salesforce announced a strategic partnership with Alibaba,” said Salesforce in a statement.

Overall, only about 10% of Salesforce revenues in the three months ended April 30 originated from Asia, compared to 20% from Europe and 70% from the Americas.

Besides gaining client acquisition channels, the tie-up also enables Salesforce to store its China-based data at Alibaba Cloud. China requires all overseas companies to work with a domestic firm in processing and storing data sourced from Chinese users.

“The partnership ensures that customers of Salesforce that have operations in the Greater China area will have exclusive access to a locally-hosted version of Salesforce from Alibaba Cloud, who understands local business, culture and regulations,” an Alibaba spokesperson told TechCrunch.

Cloud has been an important growth vertical at Alibaba and nabbing a heavyweight ally will only strengthen its foothold as China’s biggest cloud service provider. Salesforce made some headway in Asia last December when it set up a $100 million fund to invest in Japanese enterprise startups and the latest partnership with Alibaba will see the San Francisco-based firm actually go after customers in Asia.

Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

No consumer Gmail accounts were affected by the security lapse, said Frey.

“To be clear, these passwords remained in our secure encrypted infrastructure,” said Frey. “This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google has more than 5 million enterprise customers using G Suite.

Google said it also discovered a second security lapse earlier this month as it was troubleshooting new G Suite customer sign-ups. The company said since January it was improperly storing “a subset” of unhashed G Suite passwords on its internal systems for up to two weeks. Those systems, Google said, were only accessible to a limited number of authorized Google staff, the company said.

“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” said Frey.

Google said it’s notified G Suite administrators to warn of the password security lapse, and will reset account passwords for those who have yet to change.

A spokesperson confirmed Google has informed data protection regulators of the exposure.

Google becomes the latest company to have admitted storing sensitive data in plaintext in the past year. Facebook said in March that “hundreds of millions” of Facebook and Instagram passwords were stored in plaintext. Twitter and GitHub also admitted similar security lapses last year.

Read more:

• Researchers find 540 million Facebook user records on exposed servers
• Facebook now says its password leak affected ‘millions’ of Instagram users
• A leaky database of SMS text messages exposed password resets and two-factor codes
• A hotspot finder app exposed 2 million Wi-Fi network passwords
• You should change your Twitter password right now
• A family tracking app was leaking real-time location data

At Google, the company offers a ‘Grab and Go’ program that allows employees to use self-service stations to quickly borrow and return Chromebooks without having to go through a lengthy IT approval process. Now, it’s bringing this same idea to other businesses.

Chromebooks have found their place in education and a number of larger enterprise companies are also getting on board with the idea of a centrally managed device that mostly focuses on the browser. That’s maybe no surprise, given that both schools and enterprises are pretty much looking for the same thing from these devices.

At Google, the system has seen more than 30,000 users that have completed more than 100,000 loans so far.

While Google wants others to run similar programs (and use more Chromebooks in the process) it’s worth noting that this is a limited preview program and that Google isn’t building and selling racks or other infrastructure for this. As a Google spokesperson told us, Google will give companies that want to try this the open source code to build this system and advise them through the setup and deployment. It will also engage with partners to help them build the hardware or set up a ‘Grab and Go’ as a service system.

Employees who want to use one of these ‘Grab and Go’ stations simply pick up a laptop, sign in and move on with their day. When they are done, they simply return the laptop. That’s it. Easy.

That’s not quite as exciting as Google building and selling racks of Chromebooks, but this project is clearly another move to bring Chromebooks to the enterprise. Specifically, Google says that this program is meant for frontline workers who only need devices for a short period of time, as well as shift workers and remote workers.

A report by CSOOnline presented the possibility that Microsoft would be able to ban “offensive language” from Skype, Xbox, and, inexplicably, Office. The post, which cites Microsoft’s new terms of use, said that the company would not allow users to “publicly display or use the Services to share inappropriate content or material (involving, for example, nudity, bestiality, pornography, offensive language, graphic violence, or criminal activity)” and that you could lose your Xbox Live Membership if you curse out a kid Overwatch.

“We are committed to providing our customers with safe and secure experiences while using our services. The recent changes to the Microsoft Service Agreement’s Code of Conduct provide transparency on how we respond to customer reports of inappropriate public content,” said a Microsoft spokesperson. The company notes that “Microsoft Agents” do not watch Skype calls and that they can only respond to complaints with clear evidence of abuse. The changes, which go into effect May 1, allows Microsoft to ban you from it services if you’re found passing “inappropriate content” or using “offensive language.”

These new rules give Microsoft more power over abusive users and it seems like Microsoft is cracking down on bad behavior on its platforms. This is good news for victims of abuse in private communications channels on Microsoft products and may give trolls pause before they yell something about your mother on Xbox. We can only dare to dream.