Hackers say they broke into Silicon Valley startup Verkada’s network and gained access to live video feeds from more than 150,000 surveillance cameras the company manages for Cloudflare, Tesla and a host of other organizations.
The group posted videos and images that they said came from those companies’ offices, warehouses and factories, as well as prison cells, psychiatric wards, banks and schools. Bloomberg News, which first reported the breach, said footage viewed by a reporter showed staffers at the Halifax Health hospital in Florida attacking a man and pinning him to a bed. Another video showed a handcuffed man at a police station in Stoughton, Massachusetts, being questioned by officers.
“I don’t think the ‘we hacked the internet’ claim has ever been as accurate as it is now,” said Tillie Kottmann, a member of a hacker collective calling itself APT 69420 Arson Cats. wrote on Twitter.
Kottmann told Ars that the hack was made possible after Verkada put an unprotected internal development system on the internet. It contained credentials for an account with superadmin rights on the Verkada network. Once inside the network, the hackers said they had access to feeds from 150,000 cameras, some of which provided high-definition video and used facial recognition.
In a statement, a Verkada spokesperson wrote: “We have disabled all internal administrator accounts to prevent unauthorized access. Our internal security team and external security firm are investigating the magnitude and scope of this issue and we have notified law enforcement.”
A Cloudflare representative, meanwhile, wrote:
This afternoon we were warned that the Verkada security camera system that monitors key access points and major roads in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for almost a year. Once we became aware of the compromise, we disabled and disconnected the cameras from office networks. To be clear, no customer data or processes were affected by this incident.
Tesla did not immediately respond to a request for comment.
Kottmann is a Switzerland-based software engineer who leaked 20GB of Intel source code and proprietary data last year. Other companies whose data has allegedly been breached by Kottmann include AMD, Microsoft, Adobe, Lenovo, Qualcomm and Motorola. Those breaches were also based on hard-coded credentials in repositories posted on the Internet.
Kottmann said the hackers had collected about 5 GB of data from Verkada, but they could have gotten a lot more.