In an unusual episode of bullies turned into victims, an anonymous hacker has breached a popular pay-for-hire mobile hacking agency known for selling surveillance and data extraction solutions to intelligence and law enforcement organs.

Motherboard reports the vigilante attacker has lifted 900GB of data from Israeli firm Cellebrite and provided the publication with a copy of the stolen information. The retrieved data includes customer credentials, databases and immense amounts of technical data describing the company’s products.

Cellebrite’s bestseller is the portable Universal Forensic Extraction Device (UFED) which has the capacity to rip data from a wide variety of smartphones as long as the UFED-user is in possession of the handset. Once plugged in, the UFED can pull data like SMS messages, emails and call logs.

The Israeli firm has purportedly been supplying a number of US government agencies as well as authoritarian regimes from the likes of Russia, the United Arab Emirates and Turkey.

Motherboard has confirmed the stolen data is indeed authentic. According to the report, the information appears to have been retrieved from the customer section of Cellebrite’s website, where users can access new software updates.

Apart from user credentials and databases, the breach allegedly also includes logs from Cellebrite devices as well as evidence files from seized mobile devices.

The hacking firm has since confirmed the breach on its website, advising customers to change their password:

Cellebrite recently experienced unauthorized access to an external web server. The company is conducting an investigation to determine the extent of the breach. Presently, it is known that the information accessed includes basic contact information of users registered for alerts or notifications on Cellebrite products and hashed passwords for users who have not yet migrated to the new system. To date, the company is not aware of any specific increased risk to customers as a result of this incident; however, my.Cellebrite account holders are advised to change their passwords as a precaution

In a similar case from last year, notorious hacker PhineasFisher breached two separate surveillance services implicated in providing hacking solutions designed for spying on unsuspecting citizens to various government agencies.

While PhineasFisher went a step further and leaked the stolen data to the internet, the Cellebrite attacker has taken a more cautious approach, releasing the information exclusively to Motherboard and a few select individuals in IRC chat rooms.

Online security has been a growing cause for concern these days.

In an effort to raise awareness about the dangers of hacking, a group of Dutch journalists recently infiltrated the accounts of several local politicians, ultimately taking over the Twitter accounts of the government officials to break the story.

Hacker Steals 900 GB of Cellebrite Data on Motherboard

Read next: December in Africa: All the tech news you shouldn’t miss from the past month