A hacker who gained access to online retailer TOMS’ mailing list has used the breach to give its claimed five million subscribers some unsolicited life advice.
His message (subject: TOMS hacked by nice man): “Hey you, don’t look at a digital screen all day, theres [sic] a world out there you’re missing out on :)”.
Worryingly for customers, the hacker appears to have gained access to far more than the mailing list, tweeting a screen shot of order details.
He told customers on Twitter “full credit card details aren’t shown. Just most of the account number (10 digits). Still bad for sure, but it could be worse.”
Not just the mailing list was hacked… This information shown here is useless to me anyways, because there is no purpose in making negative impacts in thousands of strangers lives over the internet. On another note, TOMS needs some better security… pic.twitter.com/SueyRcKRFs
— . (@tomsatg1) October 6, 2019
The hacker responsible, “Nathan” told Computer Business Review in a Twitter DM that he had hacked the servers of the US-based company and social enterprise some time ago, but – lacking pecuniary motives – not found a use for the access (“it’s beyond f****d up to sell peoples private information on the internet”, he told us).
TOMS Hacked. Company “Looking Into the Matter”
TOMS said: “We are aware of unauthorized activity through our communications channels including email and social media. We are actively looking into the matter. In the meantime, please do not click on any links or reply to it.”
See also: IaaS Misconfigurations: McAfee Claims 99% Go Unnoticed
It was not immediately clear if the company has contacted the ICO as required under GDPR. Computer Business Review has yet to hear from the company.
“Nathan” said: “With a busy life and no malicious intent, it was pretty useless for me to have them hacked. By this point responsible disclosure is not a option. So I thought I might as well send out a message I believe in just for fun.”
It looks like TOMS’s mailing list was hacked and I guess times are so rough hackers are just sending self care reminders now pic.twitter.com/SrdnlEkxJW
— Alisha Rai (@AlishaRai) October 6, 2019
Why TOMs, and how did he do?
“An easy pop. No grudges or anything like that against TOMS. I had access to their internal network along with many many machines on it. Much more information was in the databases running on those servers which I also had access to… Dear TOMS, sorry for hacking you guys. No hard feelings pls?”
We are aware of unauthorized activity through our communications channels including email and social media. We are actively looking into the matter. In the meantime, please do not click on any links or reply to it.
— TOMS (@TOMS) October 6, 2019
He declined to answer questions on how he gained access, saying that is “gonna have to be a secret”.
He added: “I feel like people now are spending too much time looking at screens
like I once did. There’s plenty more to experience out there in the world to enjoy. Life happens too quick when you look at a screen. It’s like life gets put on fast forward. My message was hopefully reaching those teenagers and even adults who are addicted to their smart devices. Hoping to trigger some people to have a self realization/epiphany.”
While it’s passingly possible five million TOMs subscribers may get a lift from the message, others may be worrying their account information is also vulnerable. Meanwhile, as the hacker puts it: “TOMs needs some better security”.