150,000 security cameras hacked. Live feeds from Tesla factories. Psychiatric hospital patients. Prison cells. School classrooms. A hacker got in through a single admin account with no multi-factor authentication. Verkada sold "enterprise-grade security" cameras that were protected by a single password on an exposed server. The security cameras had no security. Verkada employees used the company's own cameras to spy on female coworkers. They shared the images in a Slack channel. The FTC fined Verkada $2.95 million. A security camera company whose employees used the cameras for sexual harassment. The product worked exactly as designed — it just wasn't designed for the people it was pointed at.
What they claim: Verkada describes strict access controls and data governance for camera footage
What we found: The FTC fined Verkada $2.95 million in 2024 for failing to implement basic security measures and for a toxic workplace culture where male employees used internal camera access to harass female colleagues. The FTC complaint described employees sharing images of female coworkers captured through office cameras in a Slack channel called "#RawDogNation."
What they claim: Verkada promotes enterprise-grade cloud security cameras with end-to-end encryption
What we found: In March 2021, a hacker collective (APT-69420) breached 150,000 Verkada cameras across Tesla factories, Cloudflare offices, hospitals, psychiatric facilities, prisons, and schools. The hackers accessed live feeds and archived footage. The breach occurred through a single super admin account whose credentials were exposed in an internal Jenkins server. Verkada had no multi-factor authentication on admin accounts.