Cyber Incident Victim: Equinox
Date:
Mar 2021
Location:
United States of America
Summary
Hackers compromised live surveillance cameras at multiple organizations, including Equinox, Tesla, Cloudflare, banks, and healthcare facilities, by exploiting a Verkada super admin account with credentials exposed in DevOps infrastructure. The breach enabled unauthorized access to real-time camera feeds and administrative control over surveillance systems, demonstrated through shared images of root shell access. Verkada disabled all internal administrator accounts, initiated an investigation with external security firms, and notified law enforcement; Cloudflare clarified affected cameras were in unused offices, assuring no customer impact. The incident, associated with #OperationPanopticon, highlighted vulnerabilities in centralized surveillance infrastructure and echoed philosophical concerns about pervasive monitoring.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 9, 2021, hackers affiliated with #OperationPanopticon breached live surveillance camera systems operated by Verkada, a provider of enterprise security and IoT surveillance solutions. The attackers compromised a Verkada super admin account by exploiting hardcoded credentials discovered in exposed DevOps infrastructure, as confirmed by Tillie Kottmann, a reverse engineer linked to the group. This privileged access enabled unauthorized live viewing and data extraction from cameras installed at Tesla facilities, Equinox locations, Bank of Utah branches, healthcare clinics, correctional institutions, and Cloudflare offices. The hackers publicly shared images captured from surveillance feeds at Tesla, Equinox, and Bank of Utah, demonstrating real-time access to sensitive interior spaces. Additionally, they disseminated screenshots confirming root shell access to Linux-based surveillance systems at Tesla headquarters and Cloudflare, with identifiable Verkada hardware MAC addresses visible in the images. The operational hashtag #OperationPanopticon referenced the philosophical concept of pervasive surveillance, symbolizing the inversion of monitoring capabilities against the systems' owners.
Verkada terminated the unauthorized access after Bloomberg News alerted the company to the breach, disabling all internal administrator accounts to contain the incident. The company initiated parallel investigations with its internal security team and an external firm while notifying law enforcement agencies. Cloudflare confirmed the compromised cameras were located in offices that had been closed for months, asserting no customer systems or data were impacted. Tesla and Equinox did not provide immediate public statements regarding the breach, though BleepingComputer documented outreach attempts to all affected organizations. The incident exposed live surveillance feeds and administrative control of security systems across multiple critical sectors, though specific operational disruptions or data exfiltration beyond the published images remained unconfirmed in available reports. Verkada's infrastructure compromise highlighted risks associated with centralized administrative credentials and third-party security integrations across corporate environments.