Securus Technologies Inc., a company best known as a go-to firm for U.S. prisons that want to track and monitor phones, has itself been hacked, according to a report from Motherboard.

When the hack took place is not clear, but the report claims to have evidence of at least 2,800 logins and poorly encrypted passwords relating to customers of the service in a spreadsheet, some of which have already been cracked and tested for authenticity.

The hack is by no means unique in size, but the interest lies in the fact that someone has hacked a legal if somewhat dubious tracking company and therefore potentially can or already has accessed details of Securus’ tracking activities.

The company primarily facilitates phone tracking services for U.S. prisons. The New York Times last week reported that the sheriff of Mississippi County, Missouri, had been using the company to track cellphones, including those of serving law enforcement officers. “The service can find the whereabouts of almost any cellphone in the country within seconds,” the report noted, adding that it does so “by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon.”

For the double whammy, many of the usernames and passwords relate to “sheriff departments, local counties and city law enforcement” from cities including “Minneapolis, Phoenix, Indianapolis and many others.” In an age when many users reuse their passwords across multiple sites, the hacking of this data has potentially far more significant risk than someone accessing data from Securus alone.

Pointing out the apparent absurdity of a company that tracks people being hacked, Ben Johnson, co-founder and chief technology officer of Obsidian Security Inc., told SiliconANGLE that any company that handles this level of sensitive information that doesn’t have security prioritized is doing their customers a disservice.

“Location aggregators hold the keys to some of the most lucrative information a hacker could possibly obtain,” he said. “If your business trades this type of information you should expect to be targeted by groups with nation-state level capabilities. Knowing this, it’s deeply disappointing to see Securus be this lax and unsophisticated with their security to the point that usernames, email addresses and hashed passwords were stored in spreadsheets.”

Image: Pixabay