Over 1 million of its WordPress clients were affected, and the company eventually learned a compromised password gave a hacker access to system legacy code for Managed WordPress. The popular web hosting company with over 20 million customers and more than 9,000 employees worldwide suffered a data breach last year.
Below are some well-known and perhaps some less publicized examples of just that, poor passwords leading to the compromise of an entire company, their employees, customers, and others caught in a data breach that could have been avoided. You cannot keep your head in the sand and take the risk anymore, as fines and repercussions have real teeth.Just think about if for minute…would you ever believe the password you created for your Microsoft 365 work account would end up causing a massive data breach affecting millions? Depending on strong password precautions, if you use them or not, and whether you use the same password for other accounts, it could happen. Anyone that stores their data on the internet has to expect their security to be tested at some point. Password vault and session management systems like this are almost mandatory in today’s GDPR embrace and there is no excuse for ignorance.
This makes it more difficult to hack as no one knows the password and it will be encrypted in a deeply secured vault. Locking away the password completely in a vault is one solution and the admins have to “break glass” to get it out, or even better just offer the admins a session that they can use without ever knowing a password. Whenever an admin accessed it, they would have to prove that they were who they said they were, which is a simple, cheap, and effective first line of defense. At the very least, there should have been some form of multi-factor authentication or password vault to protect the account. It is possible that the account wasn’t monitored and that the password wasn’t regularly changed on a rotation basis, but the biggest error was underestimating the power of one single account to undo their business and grant access to everyone’s data. What did Verkada do wrong? They allegedly didn’t have control over the one account they needed to. In the case of Verkada, they are holding data that has the most public shock factor, video surveillance. “Every computer system in the cloud has one major weakness. Patrick Hunter, Sales Engineering Director, One Identity At the time of writing, Verkada is attempting to regain control over their live feeds and archive.įor further perspective on this breach, which raises both identity management and physical security issues, we consulted some cybersecurity experts.
This granted them the root access necessary to conduct the cyber-attack.
VERKADA BREACH DETAILS ARCHIVE
Additionally, the group claims to have gained access to Verkada’s full video archive for all of its customers.Īccording to reports, the hacker group gained this access via a privileged account, the username and password of which was available publicly on the Internet. Surprisingly, the hackers behind the attack actually announced their culpability on Twitter: Tillie Kottmann of the APT 69420 Arson Cats (a hacker collective) stated the intention was to demonstrate the vulnerability of the cloud-based cameras. These cameras include those in Tesla factories, Cloudflare offices, Equinox gyms, hospitals, jails, schools, and police stations. Verkada, a security start-up focused on cloud-based security cameras, disclosed suffering a major security breach hackers gained access to over 150,000 security cameras.