The Silicon Valley security startup Verkada which suffered a major security breach that was disclosed a few days ago — in which hackers were able to compromise more than 150,000 security cameras that connected to everything from gyms, jails, schools, hospitals, and Tesla factories — said on Wednesday that it now has everything back under control, and all customer systems once again secured. The Verkada security camera systems were hacked by an international collective that reportedly wanted to show that the company wasn’t taking security seriously enough, with the group going on to claim it was able to access all Verkada customer video archives.
In a “security update” penned by CEO Filip Kaliszan and posted to the Verkada website on Wednesday, he says that all customer systems were secured as of noon PST on March 9, and that no further action is required on the part of Verkada customers. “The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request,” the company explained. “… In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.”
At this time, the company does not believe the breach compromised any user password or password hashes, nor Verkada’s internal network, financial systems, or other business systems. However, the company has confirmed that the attackers were able to obtain:
- Video and image data from certain cameras connected to client organizations
- A list of the company’s client account administrators, including names and email addresses.
- And a list of Verkada sales orders. Per the company, “Sales order information is used by our Command system to maintain the license state of our customers. This information was obtained from our Command system and not from other Verkada business systems.”
The whole thing was serious enough that Verkada retained two outside firms (Mandiant Solutions and Perkins Coie) to conduct a “thorough review” of the cause of the attack, and Verkada also alerted the FBI which is helping investigate as well.
According to Bloomberg, the hackers said they were able to obtain access to 222 cameras in Tesla warehouses and factories, in addition to a police station in Wisconsin where officers were seen questioning a handcuffed man. Per Bloomberg, the hackers also claimed to have accessed security cameras at Sandy Hook Elementary School in Newtown, Connecticut, where in 2012 more than 20 people were killed by a gunman. This is all in addition to footage that was exposed as a result of this incident in places that range from women’s health clinics to psychiatric hospitals and various other companies.
“We can also confirm that the attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras,” Kaliszan’s update continues. “However, we have no evidence at this time that this access was used maliciously against our customers’ networks.”