Securus, which tracks phones for police, was using the MD5 algorithm to hash stored passwords.
Securus, a company that provides smartphone tracking tools for US law enforcement, has reportedly been hacked, with attackers accessing 2,800 pieces of data including login credentials, according to a Motherboard report.
According to the New York Times, Securus "can find the whereabouts of almost any cellphone in the country within seconds." It does this by obtaining data typically sought by marketers from carriers like Verizon, AT&T, and Sprint. The service was originally inteded to track calls made to prison inmates, but can also be used to track missing persons and more.
After breaching Securus, an unnamed hacker gave Motherboard a spreadsheet titled "Police" that included 2,800 "usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users," spanning 2011-2018, the report said. Data on Securus staff members was present in the sheet, along with data on law enforcement and government users from cities including Minneapolis, Phoenix, and Indianapolis.
SEE: Encryption policy (Tech Pro Research)
The passwords were hashed, but they were hashed using the MD5 algorithm, the report noted, which produces a 128-bit hash value. However, MD5 has been called " fatally weak" and companies like Microsoft eliminated use of it years ago.
Using cryptographic hashing on stored passwords is considered a best practice for enterprise security. However, algorithms like PBKDF2, bcrypt, or scrypt are typically suggested as some of the strongest. Some in the security community have gone as far as to say that MD5 should never be used to hash passwords.
Some of the data provided to Motherboard had plain-text passwords, but it is unclear if those were cracked by the hacker or just stored that way by Securus, the report said. Motherboard verified the data, the report said. (TechRepublic did not independently verify the data.)
At the very least, this is an example of a company being overly careless with sensitive data. Other companies should learn from Securus and implement stronger hashing algorithms to better protecting sensitive personal data. The stakes to do so are already high, but will be even higher as new regulations like GDPR come into play.
The big takeaways for tech leaders:
- Securus, a company that tracks calls in real time for police, has reportedly been hacked, with 2,800 credentials exposed.
- Securus hashed its passwords with the MD5 algorithm, making them easier to decrypt by hackers.
- Password managers: How and why to use them (free PDF) (TechRepublic)
- Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia (ZDNet)
- Blockchain: A cheat sheet (TechRepublic)
- Information on thousands of clients accessed in Family Planning NSW breach (ZDNet)
- Critical PGP vulnerability could reveal text of your encrypted business emails (TechRepublic)