Pierluigi Paganini
January 13, 2017
On Thursday, Vice Motherboard reported that an unnamed contacted it to provide the 900GB database belonging to Cellebrite. Basic contact information for users that were registered to receive notifications from the firm has been exposed along with hashed passwords and technical data regarding Cellebrite’s products.
The main product of the company is the Universal Forensic Extraction Device (UFED), an equipment that can rip data (i.e. SMS messages, emails, call logs) from a huge number of different models of mobile phones.
Cellebrite issued a statement to inform its customers of the data breach that affected an “external web server” containing the company’s license management system. An unauthorized third party broke into the company systems.
According to the firm the hackers accessed a legacy archive no more in use because the company has migrated to a new system.
The Israeli firm has advised all its customers to change their passwords.
“Cellebrite recently experienced unauthorized access to an external web server. The company is conducting an investigation to determine the extent of the breach. The impacted server included a legacy database backup of my.Cellebrite, the company’s end user license management system.” states the statement issued by the company.
Motherboard verified the email addresses in the archive by attempting to create accounts on the company portal.
“In the majority of cases, this was not possible because the email address was already in use. A customer included in the data confirmed some of their details.”
The hack revealed an uncomfortable truth, Cellebrite also works states with a questionable human rights records.
“In addition, the trove of materials contains “customer support tickets” showing that the Israeli company sells its services to countries with questionable human rights records, including Turkey, Russia, and the United Arab Emirates.” reported Ars.
[adrotate banner=”9″]
(Security Affairs – Cellebrite , data breach)
