On April 20, 2026, an attacker using the alias "dylanmarly" disclosed a breach of Be Prime, a Monterrey-based cybersecurity services firm whose clients include Iberdrola, ArcelorMittal, Whirlpool, and Alsea (the operator of Starbucks Mexico, Domino's, and Vips). The Register and State of Surveillance reported that the attacker exfiltrated 12.6 GB of data, including plaintext credentials and security audit reports, took control of 1,858 Cisco Meraki devices, and — most viscerally — gained live access to surveillance camera feeds inside client offices.
The proximate cause is a familiar one: an admin account without two-factor authentication. Be Prime's response — threatening legal action against the journalists who reported the story — has done more for the headline's longevity than the original disclosure ever could have.
But there's a deeper question hiding under the MFA story, and it's the one that matters most to anyone responsible for choosing a recording or surveillance solution: why was a single compromised admin account able to reach live camera feeds across thousands of devices at dozens of client sites in the first place?
The answer is architecture. And it's a problem that no amount of incremental security hardening can fully solve.
The cloud-management trap
Modern enterprise camera systems — Cisco Meraki Vision, Verkada, AlfredCamera business tier, Google Nest for Business, the major IP camera platforms — share a structural property: every camera reports up to a central management plane. The vendor (or a managed-services partner like Be Prime) holds an admin account that can see across the entire fleet. The convenience is undeniable. One pane of glass. Centralized policy. Remote firmware updates. Cross-site analytics.
The trade-off is that the management plane is now the most valuable target on the entire network. Compromise the camera itself and you get one feed. Compromise the management plane and you get every feed.
This is not a Be Prime-specific failure. Verkada in 2021 lost live feeds from 150,000 cameras inside schools, hospitals, and Tesla factories — also through compromised admin credentials. In June 2025, Bitsight's TRACE team published research showing more than 40,000 internet-connected cameras streaming live footage to the open web with no authentication required at all — front doors, living rooms, factory floors, hospital corridors, whiteboards full of confidential information. The United States led that list with roughly 14,000 exposed cameras.
Different companies, different vendors, different incidents. The same shape every time: a centralized point of trust, a credential that protects it, and what happens when that one credential gives way.
The architectural alternative
For consumer and small-business recording, there's a different architectural choice available — one that's existed quietly for years but rarely gets compared on equal footing with the "managed cloud" pitch. Call it local-first recording: footage is captured and stored on the device, the device has no obligatory cloud account, and any external streaming endpoint is a deliberate choice the user explicitly authorizes per-session.
That's the architecture I built into Background Camera RemoteStream — the Android app I work on as a solo developer at Super Funicular LLC. Recordings are written to local storage on the user's phone. There is no Super Funicular account. There is no central admin console with a credential that, if stolen, would unlock any user's footage. When the app streams to YouTube Live, it pushes directly from the phone to YouTube using the user's own YouTube credentials — there is no intermediate "Super Funicular streaming relay" to compromise. If my dev account got hacked tomorrow, an attacker couldn't see a single user's video, because I don't have any.
This isn't moral superiority — it's architectural humility. I cannot lose what I never collect. The reason cloud-camera vendors have to invest so heavily in admin-account security is that they've taken on a responsibility I declined to take on. Both are valid commercial choices. They're just very different bets about how the next decade of breach disclosures will play out.
What buyers should actually evaluate
If you're shopping for a recording solution — whether for a home, a job site, a small business, or your own pocket — the Be Prime breach suggests three questions that matter more than feature lists:
- Where does the footage physically live? On the device, in the user's own cloud account, or on the vendor's infrastructure? Each answer changes who has to be compromised for your footage to leak.
- Who else holds an account that can see your footage? Vendor support staff? A managed-services reseller like Be Prime? An admin role tied to a contract you don't review? The honest answer is rarely "no one."
- What's the blast radius of a single compromised credential? One device, one site, your whole fleet, or every customer the vendor has? A vendor that can answer "one device" has made an architectural choice that holds up under bad days. A vendor that can answer "every customer" is asking you to bet on flawless internal security forever.
The Be Prime story will eventually fade from headlines. The architectural lesson it illustrates won't, because the same shape keeps recurring. Verkada, BePrime, the next one, the one after that — each time, the management plane was the prize, and a single credential was all that stood between it and a stranger.
If a phone-based, locally-stored recording app sounds like the right fit for your needs — security checks at a small business, a baby monitor that doesn't broadcast to the internet, dashcam-style trip recording, a YouTube Live stream you control end-to-end — Background Camera RemoteStream is on Google Play, and the developer notes (and source-of-truth privacy posture) live at superfunicular.com.
The single best security decision you can make about a camera is to choose one whose architecture means a breach somewhere else can't reach you. Everything else is a defense-in-depth bonus on top of that one foundational choice.
Reporting on the Be Prime incident: The Register, DataBreaches.Net, State of Surveillance. Bitsight TRACE camera-exposure report: bitsight.com. Verkada 2021 historical context: Security Magazine.
Top comments (0)