Demo
EN (UK)
EN (UK)
Get demo
See all security updates
11 March 2021

Security Update

To Our Verkada Customers –

Yesterday, we contacted you after learning that Verkada’s system was accessed by attackers. We want to share an update on the security of our system, the status of our investigation, and the steps we are taking to ensure the protection of our system and our customers.

First, we have identified the attack vector used in this incident, and we are confident that all customer systems were secured as of approximately noon PST on March 9, 2021. If you are a Verkada customer, no action is required on your part.

The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request. We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorization system, including two-factor authentication.

We are continuing to investigate the incident, and we are contacting all affected customers. At this point, we have confirmed that the attackers obtained the following:

  • Video and image data from a limited number of cameras from a subset of client organizations

  • A list of our client account administrators, including names and email addresses. This list did not include passwords or password hashes.

  • A list of Verkada sales orders. Sales order information is used by our Command system to maintain the license state of our customers. This information was obtained from our Command system and not from other Verkada business systems.

At this time, we have no evidence that the breach compromised the following:

  • User passwords or password hashes

  • Verkada’s internal network, financial systems, or other business systems

We can also confirm that the attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however we have no evidence at this time that this access was used maliciously against our customers’ networks. All shell commands issued through our internal tool were logged.

In addition to our internal response team, we have retained two external firms, Mandiant Solutions and Perkins Coie, to conduct a thorough review of the root cause of this attack and support our efforts to ensure internal security. We also notified the FBI, who are assisting us in this investigation.

I want to thank you all for your support. We will continue to share updates with you as our investigation proceeds. Please reach out to us if you have any additional questions.

Sincerely,

Filip Kaliszan

CEO, Verkada Inc.