I have had a number of people contact me about an alleged hack of Brand New Tube (‘BNT’) last week. They are concerned about their data security. I covered a previous hack of the platform in 2020 and made a video. Readers may rely on that video, because BNT supremo Muhammad Butt sued me in the High Court using expensive lawyers. I defended myself and won, he lost – filing notice of discontinuance and throwing in the towel. Today the ICO have confirmed that Brand New Tube has failed to notify it of the data breach. If true, they have breached data protection law once again. [UPDATE 23 August 2022 – The ICO have corrected themselves. Their initial email was wrong. Brand New Tube did in fact report the incident by 17 August. However, all the other criticisms in this article remain unchanged. In particular, Brand New Tube have failed to answer whether they received concerns in December 2021 about the website’s security.]
I want to confirm to supporters that I am preparing a lengthy video on this. However, I have already verified certain facts. Brand New Tube has been hacked – their Twitter account confirmed it on 14 August 2022 (archive). The hackers claim to have obtained the database including SHA-1 password hashes, and to have been able to extract the passwords. They claim to have extracted over 200,000 customer passwords (it is possible to de-hash unsalted hashed passwords using tools such as rainbow tables). If true, this would only be possible due to negligence of a very serious kind.
In the UK, it is a mandatory legal requirement to report breaches to the ICO. The hackers and Brand New Tube customers on Twitter (archive) allege that BNT was warned months ago and failed to take action. That means at the latest the website operator should have disclosed to the ICO by Wednesday 17 August 2022. The ICO confirms they have not. [The ICO now confirms this was wrong and their initial email above was incorrect.] I also put the allegations to Brand New Tube via their lawyers on Friday and I can confirm that they have not denied being warned of a security breach in December 2021. The ICO was given My Media World Limited’s registration number and the website URL, and was asked very specific questions.