A group of hackers says it has breached security systems and viewed live feeds from 150,000 surveillance cameras supplied by Verkada to general and psychiatric hospitals, women’s health clinics, police stations, prisons, schools and companies, including car maker Tesla and software provider Cloudflare.

Verkada of Silicon Valley says it is confident all customer systems have now been secured.

The hackers claim they have access to the full video archive of all Verkada customers.

Some of the hacked cameras, including in hospitals, use facial-recognition technology to identify and categorise people captured on the footage, Bloomberg reported. 

The news service said videos viewed included what appeared to show eight staff members tackling a man and pinning him to a bed in a Florida hospital; the inside of the intensive care unit of a Texas hospital; officers at a Wisconsin police station questioning a man in handcuffs; images from a jail in Alabama where cameras are concealed inside vents, thermostats and defibrillators; workers on an assembly line at Tesla’s factory in Shanghai; and cameras in Cloudflare offices in San Francisco, Austin (Texas), New York and London.

Tesla said: “Based on our current understanding, the cameras being hacked are only installed in one of our suppliers, and the product is not being used by our Shanghai factory, or any of our Tesla stores or services centres. Our data collected from Shanghai factories and other places mentioned are stored on local servers.”

The cameras at Cloudflare’s headquarters rely on facial recognition. The company said: “While facial recognition is a beta feature that Verkada makes available to its customers, we have never actively used it, nor do we plan to.”

The data breach was carried out by an international hacker collective known as Advanced Persistent Threat 69420, a reference to the designation cybersecurity firms give to state-sponsored hacking groups and criminal cybergangs, Bloomberg reported.

Accessing the cameras was intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the attackers who claimed credit for the breach.

Their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and it’s also just too much fun not to do it,” added Kottmann.

The hack “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit,” Kottmann said. “It’s just wild how I can just see the things we always knew are happening, but we never got to see.” 

The group obtained root access to the cameras through a super-admin account, enabling them to execute their own code, said Kottmann, adding they found a user name and password for an administrator’s account publicly exposed on the internet. 

In response, Verkada said: “We have identified the attack vector used in this incident, and we are confident that all customer systems were secured as of approximately noon PST on 9 March.” 

The company added no action is required by customers.

Verkada said the attack targeted a Jenkins server used by its support team to perform bulk maintenance operations on customers’ cameras, such as adjusting image settings when requested.

“We believe the attackers gained access to this server on 7 March … [and] obtained credentials that allowed them to bypass our authorisation system, including two-factor authentication.”

The hackers obtained video and image data from “a limited number of cameras from a subset of client organisations”, client account administrators, including names and email addresses, and sales orders used to maintain customers’ licence status. 

At present there is no evidence the breach compromised user passwords or password hashes, or Verkada’s internal network, financial systems and other business systems.

The attackers gained access to a tool to execute shell commands on some cameras. “We have no evidence at this time that this access was used maliciously against our customers’ networks,” said Verkada, which is headquartered in San Mateo, California.

The company has hired cybersecurity experts to conduct a thorough review of the cause of the attack and ensure internal security. Verkada has also notified the FBI.

 PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.