A threat actor dumped 12,000 email addresses of NuseryCam users online last Friday, prompting the service to suspend operations.
NurseryCam is a remote webcam service used by around 40 daycare centers across the UK, allowing parents to watch and monitor their children’s activities.
News of the breach reached NurseryCam after the attacker notified the Register that he obtained the names, email addresses, usernames and hashed passwords of users. After verifying the leaked credentials with the help of IoT security expert Andrew Tierney, the media outlet immediately notified NurseryCam’s developers.
“A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users’ accounts – and had then dumped them online,” the online publication said. “Although this person claimed to have ‘redacted’ those details, the redaction was so poor it was trivial to figure out the real names and contact details of NurseryCam’s parent users.”
NurseryCam services were suspended on Saturday, and the company disclosed a possible data breach to the Information Commissioner’s Office (ICO), which is now investigating.
According to NurseryCam’s director Dr. Melissa Kao, the breach was possible due to an undisclosed vulnerability in the system, allowing the attacker to view and exfiltrate personal data including usernames, email addresses, names and hashed passwords.
“The person who identified the loophole has so far acted responsibly,” Kao said in statement for the BBC. “He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures.”
Were you a victim of a data breach? Find out with Bitdefender’s Digital Identity Protection tool.