Hackers breach US company tracking phones for authorities
MANILA, Philippines – A hacker breached Securus, a company providing US law enforcement with the means to track phones in the country, Motherboard reported Thursday, May 17.
The report points to lax security standards at a company with the power to allow law enforcement to track people's phones and undertake surveillance operations.
The hacker gave Motherboard some of the data as proof of the deed, with details including usernames and passwords for the thousands of law enforcement customers Securus has.
Motherboard verified the credentials given to it by using Securus website's forgotten password service, with all of the credentials given to the site passing the password resetting process. This means the credentials are in Securus' systems.
The hacker also gave Motherboard some internal company files, with a spreadsheet allegedly from a database marked “police” having some 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 to 2018.
Hashed passwords are passwords that are essentially scrambled so that when a breach occurs, they won't be readily stolen. In the case of Securus, a weak algorithm known as MD5 was used, which meant the attacker did not have the most difficult time finding out the password despite the hashing.
It was unclear if the data given to Motherboard was cracked by the hacker or if Securus stored them in that manner itself.
US Senator Ron Wyden in a statement said of the report, “If this account is true, it demonstrates, yet again, that Securus is failing cybersecurity 101, in total disregard for the privacy of the Americans whose communications and private data it should be protecting."
He added, "This incident is further evidence that the wireless carriers and FCC need to step up and do much more to ensure that Americans’ location information and other personal information isn’t sold to companies like Securus that have demonstrated that they simply don’t care about cybersecurity." – Rappler.com