Hacking Team MD used 'Passw0rd' as password - for every system
Company that helps nefarious regimes to spy on their citizens hacked - with its lax security laid bare for all to see
Hacking Team, a company that helps governments to spy on their citizens, has been hacked by an unidentified group of hackers and its internal files uploaded to an account on Mega, Kim Dotcom's latest file sharing outfit.The 400 gigabyte upload includes emails, source code, sensitive documents and details of customers.
The hack was announced via the hijacking of the company's Twitter account, which was used to publicise choice titbits from the information downloaded from the company's network.
The upload also includes an invoice for €480,000 from Sudan - who the company denied ever doing business with - and details of everything staff members do on their own PC, all the way down to security engineer's Christian Pozzi's dodgy internet history. The hackers used the company's own Twitter account to publicise the attack.
But perhaps even more embarrassing than Pozzi's web browsing history was the discovery that the managing director of the company used the password "Passw0rd" across every system. Indeed, most of the passwords exposed in the file contravened good security practice, including variations of the word "password" used by staff across the company.
The company, when it finally woke up this morning, responded aggressively. Embarrassed Pozzi Tweeted, "A lot of what the attackers are claiming regarding our company is not true. Please stop spreading false lies about the services we offer", before realising that his own Twitter account has also been hacked.
In a statement later, he added: "The people responsible for this will be arrested. We are working with the police at the moment... Don't believe everything you see. Most of what the attackers are claiming is simply not true...The attackers are spreading a lot of lies about our company that is simply not true. The torrent contains a virus..."
Mark James, security Specialist at more conventional computer security company ESET, suggested that the hack was a disaster for Hacking Team.
"The type of software they sell relies on a very high degree of not only secrecy but trust. Unfortunately for them both of those have been compromised overnight, the type of data found included invoices and agreements from governments and organisations they clearly have stated they have no affiliation with.
"Along with that, source code was found and released for their software that will cause anyone still using it to quickly get it taken offline or disabled for security reasons. Passwords and personal information was also taken allowing access to other systems including twitter and other social networks," he said.
Hacking Team, which specialises in spyware and hacking tools, claims that it does not do business with "oppressive" regimes, yet customers appear to include agencies in Kazakhstan, Russia, Ethiopia, Saudi Arabia, Oman, Uzbekistan, Azerbaijan and Mongolia - as well as the US.