The hackers, who wanted to draw attention to the dangers of mass surveillance, said they were able to break into hospitals, schools, factories, prisons and corporate offices after they broke into security camera systems.
The California start-up, Verkada, said Wednesday it was investigating the breach, which Bloomberg first reported and notified law enforcement and its customers.
Swiss hacker Tilly Cottman, who calls himself APT-69420 Arson Cats, described it in an online interview with The Associated Press as “mostly a small group of queer hackers who are not supported by any nation or capital but instead support entertainment.” “The desire to be gay և a better world.”
They were able to access Verkada’s “super” administrator account using valid credentials found online, Kotman said. In a statement, Verkada said he had since shut down all administrator internal accounts to prevent any unauthorized access.
The hackers said that in two days they were able to freely watch live streams from potentially tens of thousands of cameras, including many that were viewed in sensitive areas such as hospitals and schools. Cottman says it included outdoor CCTV at Sandy Hook Elementary School in Newtown, Connecticut, where a gunman shot dead six of the 26 first-graders and six teachers in one of the deadliest shootings in U.S. history in 2012. :
The school district inspector did not call or comment on Wednesday.
One of Verkada’s most influential customers, the San Francisco-based Web infrastructure and security company Cloudflare, said Verkada’s damaged cameras were watching the entrances and highways to some of its offices, which have been closed for almost a year due to the epidemic.
“As soon as we heard about the compromise, we turned off the cameras and disconnected them from the office networks,” said Laurel Tony, a spokeswoman. “There was no customer data or impact as a result of this incident.”
Twitter reported that it had permanently suspended Kotman’s account, which posted hacked material for violating its ban avoidance rules, which usually occurs when users start a new account to circumvent an earlier suspension. Cottman had previously received a message from Twitter suspending his account for violating his rules against the distribution of broken materials.
Verkada, based in San Mateo, California, has launched its cloud surveillance service as part of next-generation workplace security. Its software detects when people are on camera. Not all customers use the face recognition feature.
The company received negative attention last year when IPVM, a video surveillance website, reported that Verkada employees had flipped through photos of female colleagues who had collected the company’s own office cameras and made sexual comments about them.
Cybersecurity expert Eliza Costante said it was worrying that this week’s hacking was not difficult, it was just involved in using valid credentials to access a huge amount of data stored on the cloud server.
“It’s disturbing to see how much real data can get into the wrong hands, how easy it is,” said Costante, vice president of research at Forescout. “It’s a signal to make sure that when you collect so much data, we need basic safety hygiene.”
Cottman said the hacker team, which has been operating since 2020, does not set specific targets. Instead, it scans the known vulnerabilities on the Internet in organizations, then “just shrugs off and digs into interesting targets.”