News
Karma’s a bitch as phone tracking service Securus gets hacked
Usernames and “poorly secured” passwords for thousands of Securus’ customers in law enforcement were taken.
Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.
A week after The New York Times reported software from Securus Technologies was being used by law enforcement to track people’s cellphones without court orders, comes word the Missouri-based company has been hacked. Now usernames and “poorly secured” passwords for thousands of Securus’ customers in law enforcement have been provided to Vice’s Motherboard.
Last week, The New York Times said Securus obtains location data from major tech companies, including AT&T, Sprint, T-Mobile, and Verizon, and then gives this information to its customers. This was provided with little legal oversight.
As they explained:
As location tracking has become more accurate, and as more people carry their phones at every waking moment, the ability of law enforcement officers and companies like Securus to get that data has become an ever greater privacy concern.
Naturally, this didn’t go over very well with privacy advocates such as Senate Ron Wyden of Oregon who wants the Federal Communications Commission (FCC) and companies such as AT&T to look into the situation.
Of the hacked information it received, Motherboard explains:
A spreadsheet allegedly from a database marked “police” includes over 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 up to this year. A hash is a cryptographic representation of a piece of data, meaning a company doesn’t need to store the password itself. But the hashes themselves were created using the notoriously weak MD5 algorithm, meaning attackers could learn a user’s real password in many cases.
Indeed, some of the passwords have seemingly been cracked and included in the spreadsheet. It is not immediately clear if the hacker that provided the data to Motherboard cracked these alleged passwords or if Securus stored them this way itself.
What Securus has been providing, if proven true, sounds illegal and should be stopped immediately, no? We’ll continue following this story as it develops.
See also: If you use the Ring video doorbell, there’s a new security flaw to worry about