We discovered a database of Nothing group members’ emails from 2022 (Replace: Nothing assertion)

Replace, April 22, 2024 (05:30 PM ET): In response to our discovery of this database of electronic mail addresses belonging to Nothing group members from 2022, Nothing has delivered the next assertion:

In December 2022, Nothing found a vulnerability, which impacted electronic mail addresses belonging to group members on the time. No names, private addresses, passwords, or fee info had been compromised. Upon this discovery almost a yr and half in the past, Nothing took fast motion to treatment the scenario and bolster its security measures.

We aren’t positive why this database from a 2022 breach has resurfaced. Regardless, the unique, unamended article continues after the break.

Unique article, April 22, 2024 (06:45 AM ET): Nothing is using on a wave of fine reception from customers, because of impactful merchandise just like the Nothing Telephone 2a, which we’ve preferred for bringing one thing new to the finances smartphone market. However the firm has additionally had its share of controversies, just like the Nothing Chats debacle, which was a privateness nightmare. Nothing seems to have suffered an alleged information breach not too long ago, as we might find a bunch of knowledge round Nothing Group profiles floating on the web.

We’ve positioned a file on a textual content file-sharing web site containing a knowledge dump of a number of Nothing Group profiles. The info current on this dump contains already-public info, equivalent to usernames, show names, be part of dates, remark counts, last-seen info, discussion board profile permissions, and extra.

Nonetheless, the dump additionally contains info that isn’t essentially public, equivalent to electronic mail addresses related to the discussion board profile. We might additionally spot profile suspension fields (utilized by moderators who handle on-line boards) however couldn’t instantly find something past “null” values.

To be clear, we couldn’t find any passwords within the information dump. Nonetheless, the e-mail addresses current within the dump don’t seem like simply seen on Nothing Group profiles, thus exposing the e-mail addresses of hundreds of Nothing Group members in a single file.

Based mostly on the last-seen info, the info seems to be from 2022. Additional, primarily based on the knowledge on electronic mail addresses, we estimate that info on the primary ~2,250 Nothing Group profiles is current on this information dump, together with a number of @nothing.tech emails for group managers. For apparent causes, we can not share the info dump.

If we’re allowed to invest, this could possibly be the results of an uncovered API. Nonetheless, the API seems to be inaccessible on the time of writing. Alternatively, it is also an export file from Nothing Group’s discussion board administration software program.

Though we now have not seen any proof of passwords being compromised, we advocate Nothing Group members change their password merely out of plentiful precaution.

We’ve contacted Nothing for an announcement on this alleged information breach and to be taught extra concerning the remedial measures the corporate has taken to forestall a reoccurrence. We’ll replace this text if and when the corporate responds.