Daycare webcam service NurseryCam recently suffered a security breach that compromised the data of around 12,000 users, reported Threatpost. Around 40 daycare facilities were affected and had their services nanny cams shut down.
According to the hacker, they were trying to improve the service’s security. They exploited a ‘loophole’ they found in the NurseryCam system. They claim to have user data including usernames, email addresses, and encrypted passwords.
A report by the BBC cited NurseryCam director Melissa Kao saying, “The person who identified the loophole has so far acted responsibly. He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures.”
The company, who learned of the incident on February 19, has already notified its customers. It also closed down its services to prevent further damage and protect users while the company addressed the issue.
This is not the first time that the company was made aware of vulnerabilities. Back in 2015, IoT security researcher Andrew Tierney wrote about vulnerabilities involving IP address, username, DVR passwords “are leaked in the HTML source when viewing the cameras using ActiveX.”
Tierney once again reported that usernames and passwords are similar to those used to access remote video baby monitors in January. He also warned about the lack of TLS encryption to protect streams, which can mean that malicious actors could have accessed them.
In a comment to Bitdefender, Tierney said, “This is analogous to your local bank giving you the keys to their vault and just trusting that you will only take your money.”
Moreover, as recent as a few days ago, Tierney noted that another parent noted that they were given the same username and password they were issued back in 2015.
Some users noticed the leak a few months later. A customer of NurseryCam sister company FootfallCam also experienced similar issues. The customer said, “Over the four years we have had the devices we have highlighted some other issues to FootfallCam.”
Tierney notified the company about these issues. Moreover, he was contacted by the attacker to help him in his endeavour to help the company improve its security.
Meanwhile, Kao noted that she did not think that the previous flaws were connected with the recent breach. She added, “NurseryCam sincerely apologizes to all our parent users and nurseries for the incident. We are very sorry.”