One of the biggest fears of companies that say they can hack virtually anything is to be found out that they've been hacked themselves. Case-in-point: Israeli firm Cellebrite. We've reported on the company multiple times in the past, notably after it aided the FBI in cracking open a terrorist's iPhone 5c. Since then, the company has boasted lots, even going as far to say that it can crack "nearly any smartphone".
Fast-forward to the present time, and we learn that Cellebrite itself wasn't just hacked; it had a staggering 900GB worth of data stolen. The firm says in a statement:
Cellebrite recently experienced unauthorized access to an external web server. The company is conducting an investigation to determine the extent of the breach. The impacted server included a legacy database backup of my.Cellebrite, the company’s end user license management system. The company had previously migrated to a new user accounts system. Presently, it is known that the information accessed includes basic contact information of users registered for alerts or notifications on Cellebrite products and hashed passwords for users who have not yet migrated to the new system.
To Cellebrite's benefit, it doesn't seem like this attack was too severe, as it impacted an outdated server backup that doesn't match the design of its current system. Even still, whoever snuck off with this trove now has the basic information of folks who made use of its services.
Cellebrite demoing bypassing smartphone security
Not surprisingly, Cellebrite encourages anyone who's used its services in the past to change their password. We'd add that changing your password should be a non-option if the one you used with Cellebrite matches the password you use for any other service.
If you consider managing a bunch of secure passwords to be too cumbersome, we highly encourage you to explore a solution like LastPass, which lets you generate extremely secure passwords and manage them all from a simple interface. Better still, enable 2 factor authentication, and you can consider yourself to be leaps and bounds safer than before. KeePass would be an alternative to consider, if you prefer to have local databases of your passwords (and keep it backed up to a service like Dropbox).