Verkada, a Silicon Valley security startup that provides cloud-based security camera services, has suffered a major security breach. Hackers gained access to over 150,000 of the company’s cameras, including cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices, Bloomberg reports.
According to Tillie Kottmann, one of the members of the international hacker collective that breached the system, the hack was meant to show how commonplace the company’s security cameras are and how easily they’re able to be hacked. In addition to the live feeds, the group also claimed to have had access to the full video archive of all of Verkada’s customers.
In a statement to Bloomberg, a Verkada representative commented: “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this potential issue.” Following Bloomberg’s request to Verkada, the group lost access to both the company’s live feeds and archives.
The hack was apparently relatively simple: the group managed to gain “Super Admin”-level access to Verkada’s system using a username and password they found publicly on the internet. From there, they were able to access the entire company’s network, including root access to the cameras themselves, which, in turn, allowed the group to access the internal networks of some of Verkada’s customers.
Verkada prides itself on offering internet-connected security cameras, promising a Silicon Valley “software-first approach” to make security “as seamless and modern as the organizations we protect.” The cloud-connected cameras include a slick, web-based interface for companies to monitor their feeds and offer (optional) facial recognition software, too.
The company has also come under fire in the past for accusations of sexism and discrimination after an incident in 2019 where a sales director used Verkada’s office security cameras to harass female co-workers by secretly photographing and posting pictures of them in a company Slack channel. In response, Verkada’s CEO offered members of the Slack channel a choice between leaving the company or having their stock options cut.
The list of clients that use Verkada is broad: in addition to companies like Tesla and Cloudflare, the group gained access to Verkada cameras inside Halifax Health, a Florida hospital; Sandy Hook Elementary School in Newtown, Connecticut; Madison County Jail in Huntsville, Alabama; and Wadley Regional Medical Center, a hospital in Texarkana, Texas. In addition to the camera footage, the group also says that it was able to access the full list of Verkada’s thousands of customers and its private financial information.