Western Digital (WD), one of the most prominent storage device manufacturer, is recommending that its My Book Live users unplug their devices from the internet if they don’t want their data deleted. The company’s engineers are currently investigating what has caused these data wipes across the world.
The incident came to light on a Western Digital support forum thread where users reported their entire data deleted overnight without any prior notice. A user going by the alias ‘sunpeak’ reported that their NAS has been working fine for years, but somehow, all the data was gone overnight.
Western Digital reported that they’re actively investigating the attack but don’t believe that their servers were compromised, subtly implying that the cause of attacks were user accounts getting compromised instead.
User outrage, and confusion
As more and more users poured into the original support thread complaining about the issue, sunpeak posted a portion of the device logs clearly showing that the device had received a factory reset command remotely, which caused the data to get wiped.
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script: Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start Jun 23 16:02:29 MyBookLive _: pkg: wd-nas Jun 23 16:02:30 MyBookLive _: pkg: networking-general Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav Jun 23 16:02:31 MyBookLive _: pkg: date-time Jun 23 16:02:31 MyBookLive _: pkg: alerts Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
If any of the affected users tried logging in to the NAS’s UI, they’re shown a new page with an input box for ‘owner password’. Thread originator sunpeak reported that the default password (admin) and the password they set didn’t get them through the page. There are no links to change or reset the password on the page either.
Western Digital’s response
After many users started pouring in with similar complaints, WD has started an investigation into the matter. However, as mentioned above, they don’t believe that the cause is a server breach.
The company says that several of its My Book Live devices were compromised by ‘malicious software’ and recommended users disconnect their devices from the internet to save their data. WD also pointed out that the device received its final firmware update in 2015, which is a long time ago.
“Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating, and we will provide updates to this thread when they are available,” WD said in a statement.
Their statement, however, doesn’t answer the question that how were so many accounts some if not all being completely unrelated were breached at approximately the same time.
In the News: Adobe launches the Substance 3D suite