Hackers hijacked the Bell County phone system last week in an attack that enabled them to place outgoing calls on the county’s dime.

According to a report by the Killeen Daily Herald, exploiting a vulnerability created by weak password protection enabled the hackers to gain access to an extension in the Road and Bridge Department. Once they had access to the phone’s automated menu system, they were able to activate the remote-dial feature and route international calls from a third-party number through the Bell County switchboard. Routing those calls through the system caused thousands of dollars in calls to be billed to the county.

Once the intrusion was detected by AT&T’s fraud department, the remote-dial and international calling features of the system were disabled.

According to Jim Chandler, director of Bell County’s technological services department, all the calls were around 10 seconds in length. Chandler told the Bell County Commissioners Court on Monday that the minimal password requirements in place only require a password to be from four to seven characters long. The password on the exploited system was only four characters long, making it easy to crack.

Attacks like this – known as private branch exchange hacking – cost telecom carriers $4.42 billion last year, due in large part to the ease of their execution. They are most often perpetrated by companies in South Africa and South America and exploit weaknesses in phone systems still reliant on private branch exchanges rather than voice over internet protocols.