Verkada breach exposes thousands of surveillance cameras at banks, hospitals, and other sites
Tesla, Equinox, and Cloudflare are among the victims
An international hacker collective claims to have broken into Verkada, a surveillance and facial recognition startup, gaining access to live feeds of 150,000 cameras installed at banks, hospitals, jails, and various other sites across the world.
Bloomberg revealed that the attackers were able to access video feeds from leading firms such as Tesla, Cloudflare and Equinox.
The victims also included a hospital in Florida, a jail in Alabama, Sandy Hook School in Connecticut, shopping malls, pubs and bars, museums, credit unions, pharmaceutical firms, multiple universities across the US and Canada, marketing agencies, churches, and Verkada's own offices.
Bloomberg said that one video shot inside a Tesla warehouse in Shanghai showed employees on an assembly line. The hackers claimed that they were able to access more than 200 security cameras in Tesla warehouses and factories.
An alleged member of a group posted images captured from hacked video on Twitter.
"What if we just absolutely ended surveillance capitalism in two days?" user 'Nyancrimew' asked in a series of posts on the microblogging website.
"This is the tip of the tip of the tip of the iceberg," they added.
The account has now been suspended by Twitter over policy violation.
Tillie Kottmann, one of the hackers in the Advanced Persistent Threat 69420 Arson Cats group, who claimed responsibility for the hack, told Bloomberg that the group wanted to highlight the pervasiveness of video surveillance in society. She added that the hack showed the ease with which surveillance systems could be broken into.
Kottmann revealed that the hack was conducted after the group found credentials of a high level Verkada admin account online. They used these to obtain root-level access to Verkada cameras and to execute their own code.
The attackers managed to access a full video archive of Verkada's customers, as well as the company's balance sheet listing its assets and liabilities.
Kottmann said that their group does not care about power or money. They just want "a better world" and "to have fun while fighting for it".
In a statement to Bloomberg, a Verkada spokesperson said that they have "disabled all internal administrator accounts to prevent any unauthorised access". The spokesperson added that an investigation is currently ongoing and that law enforcement has been notified.
Verkada has also notified companies that use its surveillance systems.