lolloj - Fotolia
Hacking Team, a controversial Italian surveillance software firm that counts law enforcement and security agencies among its customers appears to have been hacked.
The hackers have reportedly posted a torrent file-sharing link to more than 400GB of data, including source code, internal documents and emails that could reveal the identity of customers.
The hackers appear to have taken over the company’s Twitter account, replacing the account biography, changing the name to “Hacked Team”, and posting a link to and images of the stolen data.
The account biography for the Milan-based company now reads: Developing ineffective, easy-to-pwn offensive technology to compromise the operations of the worldwide law enforcement and intelligence communities.
One tweet by the hackers that is written as if it were posted by Hacking Team reads: “Since we have nothing to hide, we're publishing all our e-mails, files, and source code, followed by a link.
A full nine hours after that tweet was posted, Hacking Team did not appear to have regained control of their Twitter account.
The files have not been verified by the company or any independent third party as being authentic and there is no indication of how or when the attack took place.
In 2012, Hacking Team was named as one of the "corporate enemies of the internet" by Reporters Without Borders for providing surveillance tools to oppressive nations.
Hacking Team has never identified any of its clients and has consistently denied selling to oppressive governments.
But according to some tweets, Hacking Team’s customers include South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon and Mongolia.
The documents show sales to other countries with poor human rights and civil liberties records, such as Bahrain, Sudan and Egypt.
However, a tweet by Eva Galperin, global policy analyst at the Electronic Frontier Foundation, also listed Morocco, Panama and Mexico, as well as the US, Germany and Australia.
Some of the leaked documents appear to show passwords used by both Hacking Team staff and its customers. Examples include: Passw0rd!81, Passw0rd, Passw0rd!, Pas$w0rd, and Rite1.!!
“Sadly the passwords appear to prove that even those you would hope understand the importance of good password security still make very bad choices,” said independent security consultant Graham Cluley.
“It is questionable just how many intelligence agencies would want to use the services the firm now it has been so seriously breached,” he wrote in a blog post.
The leaks come almost a year after the police department in Australian state New South Wales was exposed as a client of surveillance software FinSpy (FinFisher) in documents published by WikiLeaks.
The software can be used to spy on smartphones and PCs, enabling users to read emails and encrypted files and listen to voice over IP (VoIP) calls.
FinSpy was also sold to governments and law enforcement agencies by Gamma International, which has branches in the UK and Germany.
Read more about surveillance
- The government, TechUK and Big Brother Watch welcome the Anderson report on surveillance legislation – but the civil liberties group calls for wider debate
- There needs to be more “honesty” in the discussion around GCHQ’s decryption capabilities, according to the agency's Ian Levy
- A European parliamentary conference has called on member states to improve the evaluation and oversight practices of their intelligence services
- Critics say reforms contained in the US Freedom bill do not go far enough to achieve significant surveillance reform