Nothing data breach comes to light, affecting community members

News
By Brady Snyder
published

Nothing's string of security incidents continues with an old one resurfacing.

The Glyph lights illuminated on the back of a Nothing Phone (2)
(Image credit: Nicholas Sutrich / Android Central)

What you need to know

  • Nothing has confirmed a data breach from 2022 that saw the data of 2,250 Nothing Community members left vulnerable.
  • While no passwords or other types of sensitive information were accessible in the breach, the email addresses of users were stolen.
  • Now, the email addresses and other information related to the breach were found online in an apparent database dump.

Nothing came under fire after initially partnering with Sunbird for Nothing Chats, the company that left user messages completely unencrypted and easily accessible. Unsurprisingly, Nothing Chats was shut down quickly, but not before Nothing's reputation took a hit. Now, an earlier data breach on the Nothing Community forums from 2022 has surfaced, affecting thousands of users. 

The situation came to light on Sunday, April 21, when a few users on X (formerly Twitter) reported discovering personal information used with Nothing Community accounts on an online database. Most of the data included in the dump was already publicly available, like Nothing Community usernames. However, user emails (which are not public-facing on Nothing Community) were also leaked. 

The posts were first blurred and then eventually taken down to prevent bad actors from exploiting the data exposed in the database. Android Authority found and confirmed that the database existed, adding that there is no evidence user account passwords were leaked. In addition to user data, official emails of Nothing employees were also discovered in the online database. 

Nothing confirmed the data breach in a statement to Android Authority on Monday evening, stating that the vulnerability dated back to 2022. 

"In December 2022, Nothing discovered a vulnerability, which impacted email addresses belonging to community members at the time," the company said. "No names, personal addresses, passwords, or payment information were compromised. Upon this discovery nearly a year and half ago, Nothing took immediate action to remedy the situation and bolster its security features."

The Nothing Phone (2)'s colorways with glyph lights on

(Image credit: Nicholas Sutrich / Android Central)

As far as data breaches are concerned, the Nothing Community leak appears to have a very small scope. Aside from seeing an uptick in spam emails, there will likely be limited impact to Nothing Community users following the breach. Users can change their passwords just to be save, but that probably isn't necessary because no Nothing Community account passwords were stolen. 

Notably, it does not appear that Nothing made an attempt to contact affected users that their email addresses may have been exposed. It did make undisclosed internal changes to protect user data going forward, however.

While relatively minor, it's the latest recent instance of Nothing being the center of a data and privacy incident. Although the vulnerabilities date back to 2022, this breach comes to the surface as users still recall the Nothing Chats debacle quite well, as Sunbird stages a comeback

Brady Snyder
Brady Snyder
Contributor

Brady is a tech journalist covering news at Android Central. He has spent the last two years reporting and commenting on all things related to consumer technology for various publications. Brady graduated from St. John's University in 2023 with a bachelor's degree in journalism. When he isn't experimenting with the latest tech, you can find Brady running or watching sports.