PEORIA, Ariz. — A hacker activist group claims they breached a nationwide security camera provider and could view feeds and other information of clients.
Among the list they provided to 12 News are clients including schools, jails, and hospitals in Arizona.
‘Hactivists’ used username and password to get in
Tillie Kottmann, who is a part of the alleged group of hackers that found their way into Verkada, tells 12 News the group basically found a username and password for Verkada and used it to get access to more than 150,000 client profiles.
“Which allowed us to switch to whichever customer we wanted to, watch and view all their cameras, directly access their camera systems potentially run our own codes on them,” Kottmann said.
The group gained access on Sunday, and Kottmann said they were kicked out about 40 hours later.
“It’s just so easy,” Kottmann said.
Arizona Verkada clients found by hackers
Among a list Kottmann provided to 12 News were several Arizona entities, including accounts for Tempe St. Luke’s Hospital, Peoria Unified School District, the city of Avondale, Graham County Jail and more.
Kottmann was at times shocked by what the hackers found.
“Showing what happens inside prisons and inside mental health institutions,” Kottmann said.
Tempe St. Luke’s Hospital sent 12 News a statement regarding the matter, saying:
“The health, privacy, and security of our patients is our top priority. We were made aware of a potential security incident with one of our vendors and we have moved swiftly to investigate the matter. We will report back with further information pending the investigation.”
A city of Avondale spokesperson tells 12 News they have been a Verkada client for a little over one year.
“The city was notified yesterday about the hack, and that Verkada was investigating. As far as we know, city data was not compromised, and that the hackers do not currently have access to our security cameras,” the spokesperson said in an email.
Peoria Unified School District was just one Arizona district named on the hacker’s list.
A spokesperson told 12 News the district was a customer of Verkada and just stopped using their services on Tuesday.
“We have not found any evidence that our footage was posted. At no time did the company have access to our network, they just store our footage on their servers. We are not continuing to use their servers,” A spokesperson said in an email to 12 News.
In a release to 12 News, Graham County said it does not use the Verkada system, adding an internal investigation shows "no evidence exists of any type of breach of this department’s camera video system has occurred."
Other entities listed on the hacker’s list have not responded to 12 News’ questions.
Verkada states they are investigating with the FBI
In response to 12 News’ questions about the hack, a Verkada spokesperson pointed 12 News to an online statement.
The statement details how the company found out about the hack on Tuesday, but the hackers gained entry to their system on Sunday.
The statement adds the company is investigating with outside firms and the FBI.
Hackers claim they provided information for public awareness
Kottmann said the group is bringing their involvement and the information they found public because the group wants people to know just how much they are being watched over.
“And then it’s not necessarily just the people who are supposed to view it,” Kottmann said.
Kottmann added it’s possible someone else used the same credentials the so-called “hacktivist” group did before.
“I absolutely cannot guarantee you that no one before me already found those credentials,” Kottmann said. “There’s pretty much no way to tell.”