Cyber Incident Victim: Cellebrite
Date:
Jan 2016
Location:
Israel
Summary
A hacker compromised an external web server belonging to Cellebrite, an Israeli mobile forensics firm, stealing approximately 900 GB of data including technical product specifications, customer databases, and legacy system credentials. The breach exposed usernames, hashed passwords for accounts not yet migrated to a newer authentication system, and basic contact information from users registered for product alerts. The company confirmed unauthorized access to a legacy backup of its license management platform, noting the affected server had been superseded by an updated infrastructure. Law enforcement agencies and international customers, including entities linked to authoritarian governments, were among the impacted users. The firm advised password resets as a precaution and collaborated with authorities to investigate the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2017, cybersecurity news outlet Motherboard reported obtaining approximately 900 GB of data stolen from Cellebrite, an Israeli firm specializing in mobile device forensic tools. The breach involved unauthorized access to an external web server hosting Cellebrite’s systems, with some data timestamps indicating the intrusion may have occurred the previous year. The stolen cache included customer information, technical product data, internal databases, and credentials for my.cellebrite—a domain used for software updates and license management. Forensic analysis revealed that compromised credentials allowed access to legacy systems, though the company had migrated to a new user accounts platform prior to the breach. Cellebrite’s Universal Forensic Extraction Device (UFED), a hardware tool used by law enforcement to extract data from mobile phones, was a focal point of the exposed technical documentation. Customer records suggested the company’s clientele included US federal and state agencies alongside governments of Russia, Turkey, and the United Arab Emirates.
Cellebrite confirmed the breach after Motherboard’s disclosure, characterizing the compromised server as containing a legacy backup of its end-user license management system. The company stated the accessed data primarily involved basic contact information for users registered for product alerts and hashed passwords for accounts not yet migrated to the new authentication system. No evidence indicated extraction of data from active investigative tools or current customer cases. Cellebrite advised all users to reset passwords as a precautionary measure and initiated an internal investigation to determine the full scope of the incident. The company collaborated with law enforcement authorities to address the breach, though no attribution for the attack or motive for the data theft was disclosed publicly. Impacted systems were isolated, with no reported operational disruptions to Cellebrite’s forensic services during the response period.