A hacker has broken into the servers of Securus, a company that allows law enforcement to easily track nearly any phone across the country, and which a US Senator has exhorted federal authorities to investigate. The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus’ law enforcement customers.
Although it’s not clear how many of these customers are using Securus’s phone geolocation service, the news still signals the incredibly lax security of a company that is granting law enforcement exceptional power to surveill individuals.
“Location aggregators are—from the point of view of adversarial intelligence agencies—one of the juiciest hacking targets imaginable,” Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.
Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records.
The hacker who breached Securus provided Motherboard with several internal company files. A spreadsheet allegedly from a database marked “police” includes over 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 up to this year. A hash is a cryptographic representation of a piece of data, meaning a company doesn’t need to store the password itself. But the hashes themselves were created using the notoriously weak MD5 algorithm, meaning attackers could learn a user’s real password in many cases. Indeed, some of the passwords have seemingly been cracked and included in the spreadsheet. It is not immediately clear if the hacker that provided the data to Motherboard cracked these alleged passwords or if Securus stored them this way itself.
NB: This isn’t the first time Securus has been hacked. Back in 2015, a breach at the company resulted in more than 70 million prisoner phone calls being exposed.