Skip to content
Naked Security Naked Security

TOMS hacker tells people to log off and enjoy a screenless day

TOMS seems like a really nice shoe company, and it just got hacked in a really nice way. But it's still a hack.

TOMS seems like a really nice shoe company, and it just got hacked in a really nice way.

Motherboard Vice reports that on Sunday, a hacker going by the name Nathan emailed TOMS subscribers and told them to log off, go out and enjoy the day:

hey you, don’t look at a digital screen all day, theres a world out there that you’re missing out on.

just felt some people need that.

CEO Jim Alling acknowledged the hack in an email to customers, telling them that an unauthorized email was sent out to the TOMS community by “an individual who gained access to a TOMS account in a third-party system.”

The company is asking members of its mailing list to refrain from clicking on any links or replying to the pleasant but unauthorized and illegal message.

TOMS is investigating the incident, but Alling said that the company immediately took steps to deactivate the account and implement additional layers of account security. He said that TOMS had spent 24 hours doing “close examination” with the company’s partners, but so far, it doesn’t look like full payment card details were accessed or that TOMS’ marketing customer email list was downloaded.

Well, no, why would he have done that? That would have taken a lot of time. Plus it would have been rude, Nathan told Vice:

I had TOMS hacked for quite a while, but with a busy life and no malicious intent, it was pretty useless to have them hacked.

Of course, he could have just responsibly disclosed whatever security hole he exploited, but for reasons he didn’t give, Nathan didn’t consider that an option:

By this point responsible disclosure is not a option. So I thought I [may] as well send out a message I believe in just for fun. End purpose was to spread my message to a large amount of people.

Nathan didn’t disclose how he broke into the TOMS account, but he told Vice that it was easy. And for all the hackers out there with less benevolent intent, he had this message:

To the hackers who hack large organizations etc for malicious reasons, stop being a criminal. Its beyond f**ked up to sell people’s private information on the internet. How do you sleep at night knowing you had a negative impact on thousands or maybe millions of peoples lives? It’s just so wrong. Also you self proclaimed hackers with nothing to show for it, who are just cyberbullies with the biggest egos. It’s not cool.

What conflicting emotions this guy stirs. I completely agree with all that he said above, and I completely want him to stop having this kind of fun with his hacking, lest he get arrested by law enforcement who aren’t amused.

Nathan might well have been a nice-guy hacker, but a hack is still a hack, as Vice pointed out. He made work for TOMS’ IT crew, its security crew, its CEO, and its PR people, one imagines. If TOMS called in law enforcement, that also means work for police and/or the FBI.

Nathan acknowledged all that in what we can assume, with our limited exposure to the hacker, is pure Nathan style:

Dear TOMS, sorry for hacking you guys. No hard feelings pls?

Kids, don’t try this at home. There’s no such thing as the Mr. Rogers of the hacking set, unless you’re talking about responsible disclosure. Even if you abstain from using a security hole to go after the financial data of a company’s customers, and even if you refrain from phishing them, you’re still breaking the law by illegally accessing an account to which you don’t have authorized access.

There are laws against that. In the US, prosecutors like to use them.


“He made work for TOMS IT crew, its security crew….” well, they should be greatful, because until the hack got disclosed , they didn’t do their job….


Without intending to come across as supporting his actions, I have to agree to a certain extent.

“the company immediately took steps to deactivate the account and implement additional layers of account security”

I mean, imagine if the company worked proactively, they could have saved themselves from the incident and hence, the exposure.


99% of companies to do not keep their systems updated or watch vulnerability lists. This is what happens when you ignore those. TBH though most higher ups don’t want to spend money/time/be inconvenienced for security protocols.


Not knowing if the exploit was a Zero day, or a sloppy misconfiguration, or stolen/bought access, I will not criticize their IT team. With all the VPN exploits exposed in the last week, all the Cisco back doors patched in the last year. It takes a little bit of luck to not be hacked these days too.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!