Footwear retailer Toms has had its email newsletter compromised by someone who calls himself “a nice man”.
As Motherboard reports, someone going by the name of “Nathan” sent an unauthorised message to the firm’s newsletter subscribers with the subject line “Toms hacked by a nice man.”
And, rather than be told about the hottest deals for flip-flops, slip-ons and espadrilles were instead advised to spend a little less time looking at a screen:
hacked by nathan
hey you, don’t look at a digital screen all day, theres a world out there that you’re missing out on. (:
just feel like some people needed that ^^ (:
That’s certainly a refreshing change from the typical messages spread by hackers, and there is no suggestion – although Nathan’s actions were clearly questionable – that anything more malicious has occurred.
Motherboard spoke to Nathan, who chose not to warn the company responsibly of their security issues but instead communicate directly with its newsletter subscribers:
“I had TOMS hacked for quite a while, but with a busy life and no malicious intent, it was pretty useless to have them hacked. By this point responsible disclosure is not a option. So I thought I may as well send out a message I believe in just for fun. End purpose was to spread my message to a large amount of people.”
Nathan told Motherboard that the hack of Toms was easy, but shared no details about how it had occurred. But what he did share, again refreshingly, was a strong message to those who hack with more malicious intent:
“To the hackers who hack large organizations etc for malicious reasons, stop being a criminal. Its beyond fucked up to sell people’s private information on the internet. How do you sleep at night knowing you had a negative impact on thousands or maybe millions of peoples lives? It’s just so wrong. Also you self proclaimed hackers with nothing to show for it, who are just cyberbullies with the biggest egos. It’s not cool.”
I can’t disagree with that, but I do feel that it would have been cooler if Nathan had responsibly disclosed the issue to Toms, and worked with them to fix it rather than spam however many thousands of people are signed up to a newsletter about shoes.
In an statement posted on its Twitter account, Toms confirmed that its newsletter had been compromised and advised recipients to be wary:
“We are aware of unauthorized activity through our communications channels including email and social media. We are actively looking into the matter. In the meantime, please do not click on any links or reply to it.”
Some users were less than impressed that Toms’s statement came several hours after the unauthorised messages were sent out, and that more effort should have been made to reassure customers more quickly.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.