Here are a few headlines from the last 24 hours or so, about a supposed smart toothbrush botnet launching a distributed denial-of-service (DDoS) attack:
- “Millions of hacked toothbrushes used in Swiss cyber attack, report says” – The Independent.
- “Hackers turn toothbrushes into cyber weapons” – Fudzilla.
- “Millions of smart toothbrushes used in botnet attack on company”” – Boing Boing.
- “3 million smart toothbrushes were just used in a DDoS attack. Really” – ZDNet.
- “Three million malware-infected smart toothbrushes used in Swiss DDoS attacks — botnet causes millions of euros in damages” – Tom’s Hardware
- “Over 3 million toothbrushes ‘hacked’ and ‘turned into secret army for criminals,’ experts claim” – The Sun.
And there were many more…
The reports were inspired by a report last week in the Swiss newspaper Aargauer Zeitung.
The German-language article certainly starts dramatically. Here’s a computer-generated translation of its opening paragraphs:
She’s at home in the bathroom, but she’s part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it – like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.
This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become. “Each device connected to the Internet is a potential goal – or can be misused for an attack,” says Stefan Züger. He is responsible for the Switzerland offshoot of the cybersecurity specialist Fortinet, based in Dietlikon in Zurich, the system technology division. Whether baby monitor, web camera or the electric toothbrush, do not care.
There’s an issue with Aargauer Zeitung‘s report. It didn’t actually happen.
The story is fiction. Three million smart toothbrushes didn’t launch a DDoS attack against a Swiss company.
If they really had launched the attack, Fortinet’s PR team would surely have been pushing out the news left, right, and centre. But Fortinet’s social media accounts and press release archives are silent.
Fortinet declined to comment to those cybersecurity news outlets or the security researchers that bothered to ask for some details.
None of this has stopped numerous newspapers and websites around the world from repeating the “Beware, your electric toothbrush may have been hacked” headlines, because…
…well, because it makes such a good story.
An untrue story, of course. But a great story nonetheless.
And yes, the general public should know about the risks of unsecured IoT devices. But journalists and cybersecurity vendors must avoid presenting made-up stories as fact. Otherwise, no one will believe genuine news.
Fortinet could have corrected the story, making it clear that it wasn’t true, but just an example of something that could potentially happen. Instead, it chose to keep its err.. mouth shut instead.
Maybe it enjoyed the attention and media exposure.
It certainly doesn’t seem to harm their share price.

Further reading:
- Tooth be told: Toothbrush DDoS attack claim was lost in translation says Fortinet.
- Round 3! The toothbrush DDoS attack saga continues: Newspaper counters Fortinet’s translation claim in contentious interview.
Many of large corporations orchestrate the self attack for publicity . Is that really true and viable? Cybersecurity is a blessing and a demon looming large. Ddos attacks are increasing each day and all verticals.Please feel free to give me your feedback and thoughts on this.
First I had a very good laugh! But then, so many witless professional "experts" citing each other make a fantasy tail become fake facts. The result makes us ashamed of the human race, just like that blonde American notorious liar wanting to overthrow democracy. Shame…
Didin't happen, confirmed by Fortinet
https://www.bleepingcomputer.com/news/security/no-3-million-electric-toothbrushes-were-not-used-in-a-ddos-attack/
Yeah, I think my article also makes pretty clear it didn't happen too!
Fortinet sent me the same statement since publishing this article. You can see my response here
https://grahamcluley.com/tooth-be-told-toothbrush-ddos-attack-claim-was-lost-in-translation-says-fortinet/
In your citation for the Aargauer zeitung you listed the sentence "It shows how versatile digital attacks have become." twice
Well spotted. Fixed!
Have a look at the statement of the newpaper, they claim that the company gave numbers regarding the attack and even had the preprint to check and did not correct them.
https://www.aargauerzeitung.ch/wirtschaft/cyberangriff-die-gehackten-zahnbuersten-gehen-medial-um-die-welt-und-loesen-fragen-aus-wie-es-dazu-kam-ld.2577182
Yes, I wrote about that here…
https://grahamcluley.com/round-3-in-the-toothbrush-ddos-debacle/
Particularly disappointing are ZDnet and Tom's hardware for their questionable journalism. Do I need another channel that keeps forwarding sensational "lies?" Probably not.