Yesterday, MHN revealed information provided by a whistleblower. In a shocking development to the Brand New Tube story it has emerged that up to thousands of identity documents of Brand New Tube users, including passports, were published online without the knowledge or consent of those users (and indeed, likely without incompetent Brand New Tube’s knowledge). In a shocking update today, a different source has provided a publicly available list of reported bugs on Brand New Tube that have largely gone unfixed since 2020!
The list of errors can be found on a public bug bounty site called www.openbugbounty.org (archive).
A list of Brand New Tube vulnerabilities reported on OpenBugBounty.org. These have gone unpatched in some cases for nearly two years after being reported.
MHN has now had to go so far as texting BNT lawyers on the weekend about the scale of the breach. Click for full size.
This only fuels concern as to Brand New Tube’s poor security policies. Tests today reveal that Brand New Tube are still publishing unsecured identity documents online. Nothing has changed since the MHN article yesterday.
[UPDATE 15:05 27 August 2022] In light of the breached personal identity document still being online, MHN has contacted Muhammad Butt’s and Brand New Tube’s lawyers by text, to warn them and to create evidence of their negligence.
MHN will be posting daily call-outs until the personal identity documents are removed.
Brand New Tube’s negligence is shocking.
Apparently according to Butt, he seems to know the identity of the hacker (singular apparently according to Butt) and claims that whoever is in a “frenzy”.
https://twitter.com/brandnewtube/status/1563569143902703624
The fact he uses the same word “explosive” as your article in this tweet:
https://twitter.com/brandnewtube/status/1563562347645763584
and hints again at knowing the identity of the hacker
https://twitter.com/brandnewtube/status/1563559320302002177
I can only hope he’s not wandering into further libel territory and intending to falsely accuse the wrong people… AGAIN.
He seems very desperate to spin a tale that the target was himself and Poulton in total contradiction to what the hackers themselves have said in their emails to BNT users.
If it weren’t for the seriousness of the data breach involved [and 18gb is clearly a LOT more than just usernames/passwords] and the CDN issues then this would be extraordinarily funny… for those who could’ve anticipated this happening after the 2020 hack. For those who trusted BNT with their personal data it is likely to cause other problems. Butt doesn’t seem to give a flying feck about them though and it’s all about him/Poulton. Says a lot about the narcissism involved.
He would be much wiser given ICO involvement to stop posturing and making waves on social media and get on with putting the errors right and let the authorities deal with the hackers. Such posturing and aggressiveness by Butt is only going to increase the chances of the ICO heavily fining him imho. Maybe that’s what he wants? Stranger things have happened.
I am pretty sure the police and ICO are cleverer than Butt. Ironically though, the guilty party will likely have destroyed all the evidence by now … having having a toasty August laptop bonfire.
Yes very probably but frankly, the lack of visible action on this matter doesn’t exactly inspire confidence nearly 2 weeks on from the breach.
Am still somewhat shocked at the lack of care and responsibility at BNT… whilst they pontificate online.
The sort of response in the thread below https://twitter.com/AylinCaros/status/1563606477872709632 is typical of the lack of honesty and empathy by BNT (CEO especially) regarding how much data has likely been compromised.
No care involved at BNT – it might work at a local market stall but won’t when thousands of users data is potentially compromised.
Appalling level of service. User data security is clearly bottom of the priority list for BNT.
You and other readers of this site may be interested in what one of the alleged hackers has said about BNT and the reasons for the hack [REDACTED by MHN for legal reasons].
Great comments about Sam’s reports on the BNT hackings in the link below.
Some readers may be left feeling deeply disturbed by some of the other comments on the forum.
The overload of truth and honesty in there will be too disorientating for followers of Sonia Poulton and BNT.
The real story about the hacking is nothing like the story Sonia Poulton told by use of one her most favoured signature fantasies. ie. being hunted down by paedophiles. The story calculated to cause distraction and minimise panic about stolen data.
She picked the wrong time to go on holiday. Or perhaps it was it the right time. Just saying.
[Remainder redacted by MHN for legal reasons]