I have had a number of people contact me about an alleged hack of Brand New Tube (‘BNT’) last week. They are concerned about their data security. I covered a previous hack of the platform in 2020 and made a video. Readers may rely on that video, because BNT supremo Muhammad Butt sued me in the High Court using expensive lawyers. I defended myself and won, he lost – filing notice of discontinuance and throwing in the towel. Today the ICO have confirmed that Brand New Tube has failed to notify it of the data breach. If true, they have breached data protection law once again. [UPDATE 23 August 2022 – The ICO have corrected themselves. Their initial email was wrong. Brand New Tube did in fact report the incident by 17 August. However, all the other criticisms in this article remain unchanged. In particular, Brand New Tube have failed to answer whether they received concerns in December 2021 about the website’s security.]
The ICO confirms no report was made. The ICO was asked very specific questions and given My Media World’s registration number. The ICO initially said no report was received. It now admits this was wrong.
I want to confirm to supporters that I am preparing a lengthy video on this. However, I have already verified certain facts. Brand New Tube has been hacked – their Twitter account confirmed it on 14 August 2022 (archive). The hackers claim to have obtained the database including SHA-1 password hashes, and to have been able to extract the passwords. They claim to have extracted over 200,000 customer passwords (it is possible to de-hash unsalted hashed passwords using tools such as rainbow tables). If true, this would only be possible due to negligence of a very serious kind.
In the UK, it is a mandatory legal requirement to report breaches to the ICO. The hackers and Brand New Tube customers on Twitter (archive) allege that BNT was warned months ago and failed to take action. That means at the latest the website operator should have disclosed to the ICO by Wednesday 17 August 2022. The ICO confirms they have not. [The ICO now confirms this was wrong and their initial email above was incorrect.] I also put the allegations to Brand New Tube via their lawyers on Friday and I can confirm that they have not denied being warned of a security breach in December 2021. The ICO was given My Media World Limited’s registration number and the website URL, and was asked very specific questions.
The ICO confirms no report was made. The ICO was asked very specific questions and given My Media World’s registration number. The ICO initially said no report was received. It now admits this was wrong.
It is also unclear if Brand New Tube have fully informed the users of the scale of the data breach. If passwords have been compromised, hackers will be in possession of valid email:password pairs and able to easily identify and compromise other accounts if the violated customer uses the same password. Statements by Brand New Tube content creators have been vague and conspiratorial, such as Sonia Poulton’s statement here (archive). Whilst they have referred to supposed paedophile conspiracies (as opposed to negligence by Brand New Tube), and encouraged users to change their passwords on Brand New Tube, they have not clearly warned customers of risk of breach of other accounts.
Whilst making implausible comments about conspiracy theories involving Parliament or the British Government, it appears BNT have failed to take action when warned by customers, failed to fully notify customers of the scale of the hack and failed to notify or cooperate with the ICO over an investigation. Further coverage will follow. In the meantime I recommend that customers immediately terminate any account or subscription with Brand New Tube and report them to the ICO.
An ICO spokesperson said:
“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”
“All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us.”
[UPDATE 23 August 2022] – In a u-turn, today an ICO spokesperson added:
“Brand New Tube Ltd reported an incident to us within the required timeframe, and we will be assessing the information provided”.
Despite the retraction by the ICO, MHN would still not deal with Brand New Tube given the hackers’ other claims, BNT’s failure to answer my other questions and the apparent weakness of Brand New Tube’s security and compliance. I still recommend customers and investors find a different video website.
What is all this about an evil plot by the British Government? Is it the same one as the World Economic Forum (WEF)?
Don’t look at me. So far @BrandNewTube has posted a chessboard, a ?dildo? wearing a gold ring, and a cat frantically bashing a keyboard. But not a detailed, even partially redacted, ICO breach form from August, let alone December. They have posted an automated email receipt from 15 August 2022, which I have included above.
I don’t condone or encourage any hacking of sites, however I must admit this is rather priceless for those who have been attacked by Butt etc for being critical of the BNT operation or indeed of Sonia Poulton’s real behaviour.
That aside: It’s a very sad and sorry situation… for the end users of BNT who, even a week+ on from the supposed hack, appear to have been given little GENUINE information and thought by the website owner(s) as to how to tackle their compromised data.
It’s not like BNT haven’t been warned by the previous hack(s) and should’ve taken adequate precautions regarding proper security and especially regarding encryption of sensitive data.
It would appear from the public domain information so far that the security on the data [at least] remained very, very lax and it perhaps demonstrates how easy it is for entrepreneurs to get themselves caught out when they don’t have in-house specialists to deal with these sorts of situations. I find it hard to believe that data couldn’t have been restored in a week, and I find it hard to believe that security tightening is taking so long too.
This time therefore I suspect that the ICO won’t simply be giving BNT strong advice.
Will be monitoring this case as well as I suspect that there is a lot more data lost than has been admitted to (given what has been claimed by the hackers on their forum about the size of the hacked data) and I have already noted the aggressive posturing by both Butt and Poulton on Twitter about it all.
That posturing is needless and, of course, doesn’t help any worried end users who have potentially had other registrations compromised as a result or even worse potentially even payment details if they were part of the data lost or indeed if user/password combos have been used on other sites by end users as you correctly state in the article, Sam.
Poulton especially seems to be finger pointing at “paedophiles or people who work for paedophiles” being responsible for the hack. She is very quick to launch into such irresponsible and unfounded allegations without hard evidence [no doubt to create another drama and attention seeking] but she should know better given her civil case(s) predicament. Seems she too has learnt nothing. More fool her in my opinion.
I still remember the aggressiveness of Butt’s then lawyer(s) issuing unfounded legal threats to critics simply for reporting on the previous hack. Seems that freedom of speech does have limits when it comes to criticism of Brand New Tube(!). The irony of that alone still makes me smile.
Whilst this current situation is a very sorry state of affairs for the end users, it also makes BNT look absolute fools [in IT terms] although they will probably see it all as though they are the victims [which they are of the alleged computing offences ONLY if proven to a criminal standard] and that everything will be ok in future likely thinking even bad news can be turned to an advantage.
Sadly, that was the promise back in 2020 and now look. “We’ve invested and fixed it” but it’s now clear they didn’t fix it.
The question for anyone continuing to use a platform that has been given warnings and opportunities is whether they can trust the platform to be really any better if or when it comes back and that it’s not all just bluster as it seems from previous issues again?
Users of BNT posting on Bitchute don’t appear to be happy with what they’ve received from BNT so far…
https://www.bitchute.com/video/tynqM9xF2yag/
Can’t really say I’m surprised – there is an email purporting to be from BNT in that video that is basically as unprofessional as it gets in response to user data going missing and accuses hackers of being “rogue degenerates”. It is also claiming [likely falsely] that only emails/password/IP address data has gone walkabout… again purely by the size quoted by the hackers on the uncompressed data stolen that is clearly untrue. Perhaps a mainstream journalist will take up the story and examine that data dump in detail… in the wider public interest of course because isn’t BNT supposed to be about telling “the truth”??
The hackers may indeed not be the users “friends” but they’ve certainly exposed a very poor level of security on BNT which should’ve been rectified and not left to be exploited again after the 2020 breach.
Keep going Sam as users on BNT sometimes like to claim: “you’re over the target”.
p.s. as a business proposition BNT has major potential, but whilst it is being run the way it is (unprofessionally IT wise), then I fear that it is only a matter of time before it’s users get exposed again as lessons have clearly not been learnt. Only my opinion though.