Mobile hacking firm Cellebrite confirms server breach

The Israeli security firm, popular with governments, has had a taste of its own medicine.
Written by Charlie Osborne, Contributing Writer

Cellebrite, a firm hired by government and military groups to rip data from mobile devices, has experienced a hack of its own -- leading to the theft of roughly 900GB of data.

On January 12, Motherboard reported that the Israeli company had experienced a data breach leading to the release of a treasure trove of data on Cellebrite customers, the firm's databases, technical details relating to the company's products, logs, and evidence from seized mobile devices.

Cellebrite touts itself as a provider of "deep insight" into mobile devices and is known for products including the Universal Forensic Extraction Device (UFED) which grabs data from over 20,000 types of smartphones.

Counting law enforcement, military groups, and mobile carriers among its clients, Cellebrite is able to rip data from devices including SMS messages, call logs, and email records.

My.Cellebrite, the firm's end user license management system, appears to be at the heart of the cyberattack. The platform is used by customers to log into their accounts and access products as well as download software updates.

Motherboard was able to verify some of the information in the cache, given over by the hacker allegedly responsible for the data breach, and one customer verified their details with the publication.

While the data dump has not been released online for all to see, the cyberattacker said access to Cellebrite systems has been traded among some forums.

After being notified of the breach, Cellebrite acknowledged in a statement that the company had experienced "unauthorized access to an external web server," and said it is currently investigating how the security breach took place and the extent of the damage.

While the true extent of the breach is not known, the Israeli firm said the impacted server hosted a legacy database of my.Cellebrite, which included basic contact information for users registered for alerts or product notifications, as well as hashed passwords for users which were not yet migrated to a new, updated accounts system.

"To date, the company is not aware of any specific increased risk to customers as a result of this incident; however, my.Cellebrite account holders are advised to change their passwords as a precaution," Cellebrite says. "Once the investigation of this attack is complete, the company will take any appropriate steps necessary to harden its security posture to mitigate the risk of future breaches."

Cellebrite is working with authorities during the investigation and has begun notifying affected customers of the data leak.

The best business gadgets of CES 2017

This compact security gadget watches over your entire house:

Editorial standards