Notorious surveillance tech provider Hacking Team has suffered a major data breach of internal documents which appears to show that repressive regimes including Bahrain were customers.
The 400GB data dump was first published on a torrent site on Sunday evening and also featured source code and various emails.
Security engineer Christian Pozzi is said to have had his corporate passwords exposed in the data breach as have several Hacking Team customers – many of which are apparently easily crackable.
That may have been the reason why the controversial Italian firm’s Twitter account was defaced at the same time, and used to post pictures of the data.
Hacking Team has long been criticized for enabling states with dubious human rights records to spy on their citizens.
The data dump released appears to corroborate that, with customers including Sudan, Saudi Arabia, Oman, and Kazakhstan. The United States is also a major customer, with the FBI having bought its spyware in the past, the documents show.
It’s not been confirmed whether these are all legitimate files, although the Milan-based firm has now admitted that it has suffered a breach.
Hacking Team’s products include Remote Control System (RCS), aka Galileo, which the firm claims will help customers “evade encryption” via an agent installed on the target’s device.
“Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable,” its website explains.
ESET security specialist, Mark James, claimed the breach would be a major blow to Hacking Team.
“The type of software they sell relies on a very high degree of not only secrecy but trust. Unfortunately for them both of those have been compromised overnight. The type of data found included invoices and agreements from governments and organizations they clearly have stated they have no affiliation with,” he said.
“Along with that, source code was found and released for their software that will cause anyone still using it to quickly get it taken offline or disabled for security reasons. Passwords and personal information was also taken allowing access to other systems including Twitter and other social networks.”
Rapid7 security engineering manager, Tod Beardsley, said that Hacking Team appears to have been guilty of mismanaging the storage of customer data.
“In most industries, weak security practices like these emerge from bureaucracy without much forethought or strategic guidance. Security experts, when learning of them, waste no time describing precisely why these practices are bad ideas. Much of what we’ve seen here is essentially a lesson in how not to run an internal security program,” he argued.
“Keeping passwords and other secure tokens secure is a fairly basic security practice, and hopefully the discussions around the HT breach will highlight these and other best and worst practices once the initial schadenfreude wears off.”
It’s still not known who the attackers are. A handy round-up of various screenshots and other info can be found here.