Tesla, Equinox, Cloudflare among victims in hack exposing over 150,000 security cameras

Verdaka, the company that sells the security cameras, has disabled all internal administrator accounts to prevent further unauthorized access

Tesla, Cloudflare and fitness company Equinox are among the victims involved in a breach of more than 150,000 security cameras by a group of hackers known as Advanced Persistent Threat 69420 Arson Cats. 'Advanced Persistent Threat' is a reference to the designations cybersecurity firms give to state sponsored hacking groups and criminal cybergangs.

MICROSOFT FLAW COMPROMISED 20,000+ US ORGANIZATIONS: SOURCE

The impacted cameras, sold by security start-up Verdaka, can be accessed and managed by customers through the web. Verdaka offers a feature called “People Analytics,” which lets a customer “search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face,” according to a blog post.

Tillie Kottmann, one of the hackers in APT 69420 Arson Cats who claimed credit for the Verdaka breach, told FOX Business the group was able to obtain “root” access to the security cameras on Monday, which allowed hackers to execute their own code. The hackers used a "super admin account," which allowed them to peer into the cameras of all of Verdaka's customers. The group found the user name and password for the administrator account publicly exposed on the internet.

The group's reasoning for hacking is "lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism -- and it’s also just too much fun not to do it." Kottmann noted that the group does not care about money or power, adding that they "want a better world and first and foremost" and "want to have fun while fighting for it."

Ticker Security Last Change Change %
TSLA TESLA, INC. 732.91 +13.22 +1.84%
NET CLOUDFLARE 81.70 +6.27 +8.31%

The hackers have access to Verdaka's offices, full archive of customers, and balance sheet, which lists assets and liabilities.

Verdaka's customers whose security cameras were breached include multiple Equinox luxury gym locations, Cloudflare offices in San Francisco, Austin, London and New York, 222 cameras at Tesla warehouses and factories, 330 security cameras inside the Madison County Jail in Huntsville, Alabama, Wadley Regional Medical Center in Texarkana, Texas, Tempe St. Luke's Hospital in Arizona, Halifax Health in Florida and Sandy Hook Elementary School in Newton, Connecticut.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

A Verdaka spokesperson told FOX Business that the company has disabled all internal administrator accounts to prevent any further unauthorized access. Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. Verdaka said it notified law enforcement and customers about the incident, and that customers are being offered a support line to adress their issues and questions.

According to the company, every login and action, including those by internal admin accounts, are logged by its system, which is being reviewed as part of the investigation.

A spokesperson for Cloudflare told FOX Business it was alerted that Verdaka security cameras monitoring main entry points and thoroughfares in a handful of Cloudflare offices may have been compromised. According to Cloudflare, the cameras were located in offices that have been officially closed for several months.

"As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks," the spokesperson said. "To be clear, this incident does not impact Cloudflare products and we have no reason to believe that an incident involving office security cameras would impact customers."

CLICK HERE TO READ MORE ON FOX BUSINESS

A spokesperson for Wadley Regional Medical Center declined to comment. Representatives for Tesla, Equinox and the other  victims mentioned above did not immediately return FOX Business' requests for comment.

Bloomberg was the first to report this story