No comment form Clinton campaign on what they knew about Datto Inc

computers unlocked and some where 'hired' from Best Buy

Staff did not have to change passwords, left

say it was hacked itself and customers complained about seeing other clients' data

Datto Inc held emails for almost three years but

Now Daily Mail Online investigation reveals how firm which stored her backed up emails was dogged by security lapses

Hillary Clinton is facing damaging new revelations about the lax security surrounding her emails.

A Daily Mail Online investigation has found that a second firm - hired to store a back-up of Clinton’s secret server - was so lax in its security employees failed to change passwords frequently and left computers logged in, unattended for extended periods and its own clients stumbled upon other clients data.

Datto Inc, the company in question, was hired to store Hilary’s emails by Platte River, the mom-and-pop company contracted to maintain her 'homebrew' email system.

Speaking exclusively to Daily Mail Online on condition of anonymity, one former employee at Datto, said the company was woefully exposed to being hacked.

'If you're talking about high-level data security, at the political, presidential level, the security level of data [at Datto] hired by Platte River, was nowhere near something that could have been protected from a good hacker that knows how to spread out their points at which to infiltrate,' he said.

SCROLL DOWN FOR VIDEO

Tech guru: Hillary Clinton traveled to California this week to launch her policies on technology - but her own server arrangements are open to question. A company which stored her emails is accused of lax security

Lax: Datto Inc is run by Austin McChord. Whistleblowers say that his company's security is lax and that it was hacked itself in 2010

The emails emails, 30,000 of which Clinton deleted, are now part of an FBI investigation into her handling of classified material while she was Secretary of State.

A total of 22 have been deemed to contain top secret material - out of 2,075 found to contain classified material - and questions have mounted about whether her account was successfully hacked, which the Clinton campaign claims did not happen.

The existence of the emails only came to light because of a House investigation into the deaths of four American in an Islamist attack on the mission in Benghazi, Libya, on September 11 2012.

The probe concluded this week with an excoriating report by the majority Republican members of the committee, who accused her of 'shameful' conduct with her secret email account.

HOW AMERICA'S SECRETS ENDED UP WITH 'MORONS' AT DATTO INC 2008: Aides to Bill and Hillary Clinton set up a 'homebrew' server in the basement of their Chappequa home. January 13, 2009: Clintonemail.com is registered as an internet domain. January 21, 2009: Clinton enters the State Department and apparently declines a state.gov email address. She initially uses an AT&T account then later that year starts using HDR22@clintonemail.com for all her business and personal dealings. February 1, 2013: Clinton leaves office March 20, 2013: Romanian hacker 'Guccifer' reveals Clinton's private email address when he hacks her shadowy confidante Sidney 'Sid' Blumenthal's AOL account, May 31, 2013: Clinton Executive Servce Corp hires Platte River to maintain her account. Platte River replace the basement server by putting the account on its own server at a facility in New Jersey. They contract Datto Inc to provide a back-up device to 'mirror' the server. Shrug off: Clinton as she responded to question on whether she 'wiped the server'. August 11, 2014: Following a congressional subpoena and more than a year of delays, the State Department hands over a small number of Clinton's private emails, 10 in all, to a House committee investigating the 2012 terror attack on a State Department compound in Benghazi, Libya – including some emails from the hdr22@clintonemail.com address. February 27, 2015: State Department staffers tell Benghazi committee aides that Clinton had used her private address exclusively during her tenure at the agency, and that they don't have any of her emails other than those she provided voluntarily. March 4, 2015: The Associated Press reports that it has traced Clinton's private email address back to a private server at her Chappaqua, New York home, and that the server was registered under a fake name. August 11, 2015: The FBI takes possession of Clinton's server hardware and three thumb drives in her lawyer's possession, which are said to contain copies of everything she turned over to the State Department. August 18, 2015: Clinton finally addresses deleting emails and is asked if she had 'wiped the server'. 'What, like with a cloth or something?' she responds. September 10, 2015: FBI request contents of Datto Inc's 'cloud' storage of Clinton emails . 6 October 2015: McClatchy reveal the existence of the Datto Inc emails. Advertisement

Clinton dismissed the report, saying it was time to 'move on' and went to California to launch her policies on the tech industry.

But now it can be disclosed that Datto Inc is accused of major security failings by people who worked for it and also those who used its services.

The failings included allegations that security was so lax that customers warned the firm they had stumbled on other clients' data; that in 2010, the company's internal servers were hacked; and that staff were not required to regularly change passwords, seen as a basic requirement for keeping systems secure.

Staff computers – which had access to servers holding confidential client information - were left logged in while unoccupied for extended periods of time, whistleblowers said.

And Datto headquarters were easily accessible and had no security guards on their floor, while employees opened and held doors open for others which should only have been accessible with a security pass.

A longtime Datto partner, Marc Tamarin, told Daily Mail Online: 'Those guys were really morons. They weren't qualified to handle our back-up and that was the biggest concern for us.'

It is still not known whether Clinton or her staff even knew that Datto was holding her emails. Daily Mail Online has asked her presidential campaign, but has received no response.

What is known is that Datto were contracted in May 2013 by Platte River Networks to store a backup of the contents of the 'homebrew' Clinton email.com server.

Platte River Networks - a 'mom-and-pop shop' tech firm in Denver, Colorado - was contracted to maintain the server once Clinton left office, and was itself the subject of ridicule when it emerged that its own servers were kept in a bathroom.

However, the Daily Mail Online investigation suggests that the risk of the Clinton emails being hacked while they were stored at Datto should be the greater concern.

Datto was involved in the handling of Clinton's emails from May 2013 until around August 2015, when the FBI seized them. A Datto source said the company did not know at the time that it had been backing up Clinton's server, McClatchy reported.

The former employee speaking exclusively to Daily Mail Online on condition of anonymity, spent three years at Datto, and said the company was woefully exposed to being hacked.

'It's not something that Datto was focused on. It was more about getting the data off-site quickly and cost-effectively than securing the data and keeping it from being hacked.

'There's no doubt in my mind that someone could easily hack them - even today.'

Datto was named last October as the second data storage company to be investigated by the FBI over what threat Clinton's server posed to national security.

One of the Datto insiders told Daily Mail Online that around 2010, the startup had its internal network hacked, leading to the authorities being called.

While that was before it held the Clinton emails, including top secret material, it is unknown if that failure was known to Clinton or her aides.

A former partner of Datto also claimed the company had a 'shocking level of incompetence'.

Marc Tamarin, president of Virtual IT Consulting, told Daily Mail Online that he was a Datto partner from 2009 until early 2016.

Like Platte River, his company bought storage devices from Datto.

Tamarin said: 'I had a sales manager at Datto and he would tell me about the latest and greatest Datto products and we would buy them for our clients.

'We would deploy them and when we had problems, we would work with Datto technical support.

'Those guys were really morons. They weren't qualified to handle our back-up and that was the biggest concern for us.

'Any time there was a problem, I would go to Datto and say: 'You have got to fix this, what's going on?'

Concerns: Datto - whose employees dressed up as sterotypical Mexicans for a work event - was criticized by a former user of its services. 'They weren't qualified to handle our back-up and that was the biggest concern for us,' he told Daily Mail Online.

The farce awakens: Datto Inc staff at an industry event, dressed as members of the cast of Star Wars.

'They didn't seem to care. I couldn't tell my clients - they would think I was incompetent because I had incompetent back-up.

'I would get so frustrated with their technical support and being given the run around.'

Virtual IT Consulting parted ways with Datto this year because of technical failures and conflict over payments.

Tamarin said: 'If they're inept at the basic principles of technology, how are they going to handle something advanced like security?'

'Most companies like mine trust their vendor that they are doing due diligence.

'I've never heard anything this bad before in my life, the level of incompetence was shocking.'

A former Datto senior staffer, who spent three years there, told Daily Mail Online: 'In terms of Datto's own security at the office, it was a joke.'

He recalled how employees regularly left their unoccupied computers unlocked – even though they had internet access to clients' confidential information.

There was no company policy on changing passwords or password expiration dates.

'Someone could walk in off the street, sit down at a desk, get to the Datto portal and start deleting data,' the former employee said.

'All these computers were just sitting on an island and couldn't be managed centrally.'

Until early in 2013, he said, every Datto employee had complete access to clients' data, using their staff credentials. However these credentials were often saved on computers for easy access.

'For years, any Datto employee, even low-level ones, could go in any customer's device, see their backups, restore files, and delete files,' the Datto source said.

'You could do anything and this could be a tech support person, sales person or somebody cleaning the office.

'There was no manager watching what employees were doing on computers.'

He told Daily Mail Online that some Datto partners – who used the company as part of a larger IT service to clients – appeared aware of the security lapses.

'On multiple occasions, I heard that they [Datto partners] had inadvertently happened upon other people's Datto devices.

'They would connect through the portal and then were on someone else's 'Datto'. They asked me, 'What do I tell my customers?'

He added: 'A lot of what happened was swept under the rug, obviously by Datto, but also by Datto partners because they were the trusted advisors and they had sold [their clients] this solution.

'They were keeping quiet about it too because they didn't want to be made to look incompetent because the solution was not secure.'

Early in 2013, Datto restricted the access to data storage devices to tech staff only – but the company was already exposed, the insider said.

Glitzy: The building which houses the Norwalk, CT, headquarters of Datto. But whistleblowers tell Daily Mail Online security was weak and hackers could easily have targeted the company

'You don't want your employees to have full-time access, it's a liability and it doesn't matter if it's tech support or not.

'Datto were hiring [tech staff] straight from Best Buy with no experience whatsoever.'

He added: 'The information was already out there. You could have used USBs to save credentials and use them at a later date.

'There's a trust relationship issue because the customer doesn't know that Datto has this access and most of the Datto resellers didn't know that either – and if they did know, they certainly didn't share that with their customers.'

The company's cloud storage is at a facility in Reading, Pennsylvania, but its The company's careless attitude to security was noticeable at their Norwalk headquarters.

'You came into the Datto building from the street and if you walked like you had purpose, go straight to the elevator. There were other companies in the building,' the source said.

Datto were hiring straight from Best Buy with no experience whatsoever

'Receptionists certainly didn't know who was going in and out of there and would only interact if you walked up and asked a question.

'The elevator didn't require key card access, so it was easy to get up to the [Datto] floor. You could also take the elevator between floors.

'The office did have keycard access but someone else would often open or hold the door – especially around lunch. There was a multitude of free computers at lunchtime and from there, you could get you directly into the portal.'

He added: 'It would be easy just to walk in with a group of people coming back from lunch and sit right down at a desk and do damage.'

The Datto source said the ever-revolving door of employees could have allowed a potential hacker to go unnoticed.

'People just came and went, you didn't know who was working there. The company would go through people like changing your underwear, they would hire and fire,' he said.

'If you walked in and acted like you worked there, nobody would stop you. They were so informal about everything.

'There were no security guards on Datto's floor – and a relaxed attitude to employee security passes.

'If you forgot your badge, someone would let you into the office. Datto didn't have a policy for lost or stolen badges - even if building security did. Datto didn't really have any policies.

'The ex-worker claimed to have reported security issues to Datto CEO, Austin McChord.

This is the firm Clinton trusted: It is not known if Clinton knew about Datto, but her campaign contracted Platte River Networks to maintain her email system. They held a 'One Flew Over The Cuckoo's Nest' theme party and used a Datto device to back up the Clinton server. Datto then held her emails in its 'cloud'

Trusted: Platte River Networks were used by the Clinton service company to take over her computer after her 'homebrew' server was hacked. Its staff boasted of their 'One Flew Over The Cuckoo Nest' theme party.

Why the secrets spilled out: The Congressional investigation into the attacks on Benghazi brought Clinton's secret server to light. Four Americans, including Ambassador Chris Stevens, died on September 11, 2012

'I'm a technical guy, I have a lot of experience in networking, and these guys were doing things by the seat of their pants,' the former employee said.

'I was pointing it out, "Hey, we've got an opportunity to do things better". But with Austin McChord, anyone that doesn't kiss the ring is a threat and will be treated as such.'

One former employee told Daily Mail Online that Datto had an existing partnership with Platte River before the Clinton contract.

Daily Mail Online revealed last year that Platte River's servers were stored in the bathroom closet of their loft apartment office in Denver at the time it was under contract with Clinton.

The small firm turned to Datto to buy a storage device which saved 'images' of servers - ie a mirror of their contents - a Platte River spokesman told McClatchy last year.

Platte River claimed they simply wanted a device, and were unaware that it was sending the data it captured from the Clinton server to a 'cloud' storage system.

'SHAMEFUL': HOW BENGHAZI REPORT SLAMMED CLINTON FOR HER SECRET EMAIL SERVER The report published this week by House Select Committee on Benghazi reserves its strongest words for the conduct of the Democratic presumptive nominee for the White House. It says that her decision to keep her emails on a secret 'homebrew' server and then to select which ones to hand over stopped them knowing the full truth about Benghazi. Her email arrangements only came to light because of the investigation into the deaths. It says Clinton's attorney deflected demands to turn over emails by referring it to the State Department, and accused the department and Clinton of being involved in an attempt at obfuscation. 'This "who’s on first" routine orchestrated between the Secretary’s private counsel and the State Department, which is ostensibly an apolitical governmental diplomatic entity, is shameful. 'It was not merely Congress and the people it represents who were misled and manipulated, the State Department and the Secretary’s email arrangement undoubtedly delayed access to information on what happened to four brave Americans in Benghazi and the government’s response before, during and after the attacks,' the report says. 'The manner in which the Secretary communicated during her tenure, the manner in which those records were housed during and after her tenure and the manner in which the public record was self-scrutinized and self-selected makes it impossible to ever represent to the families of those killed in Benghazi that the record is whole.' Advertisement

But a source familiar with Datto's dealing with Platte River disputed that account and claimed that Platte River was billed for 'private cloud' storage, meaning they had to know that the device they had bought was sending data to the cloud.

Datto's attorney, Michael Fass,said in a statement that the company 'had no role in monitoring the content or source of data stored' for Platte River.

But once Datto learned of its role in the Clinton server network in August 2015, the company expressed fears to Platte River that the system was vulnerable to hackers, a Datto source told the Washington Post last October.

According to the Datto official, the company was concerned about the 'sensitive high profile nature of the data' and wanted to upgrade security. However the company said there was no evidence the system was hacked.

Datto's founder Austin McChord has been described as the 'Steve Jobs of Disaster Recovery' - and once admitted talking to customers with a British accent to sound more convincing.

Daily Mail Online revealed in October that Datto employees had a maverick attitude. Their Facebook page featured photos of employees drinking at their annual conferences in Las Vegas, goofing off in front of the camera dressed as offensive Mexican stereotypes and dancing along with a troupe of female Hawaiian-style dancers on the beach in summer 2015.

The company was founded by McChord in 2008 in his parents' basement in Connecticut when he finished college.

McChord said in an interview that he had to move back home to save money and spent $80,000 on credit cards before things took off.

Datto now has 600 employees and last year was valued at $1 billion and McChord was named as one of Forbes' '30 Under 30' standout executives in 2015.

Datto told Daily Mail Online: 'Datto protects the essential business data for thousands of customers throughout the world who entrust Datto to ensure their data is secure and readily available when needed. We maintain a comprehensive matrix of safeguards to protect our customer’s data.'