NurseryCam 2021 Data Breach

NurseryCam Childcare Monitoring Service Security Failure (2021): Live Nursery Video Feeds of Children Accessible via Critical Vulnerabilities | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Anonymous hacker (12K parent credentials dumped); separate researcher disclosure by Andrew "Cybergibbons" TierneyChildenEmail Address
Moderate SeverityWebsite / service breach

NurseryCam Childcare Monitoring Service Security Failure (2021): Live Nursery Video Feeds of Children Accessible via Critical Vulnerabilities

NurseryCam provides live video streaming of children in daycare or nursery environments, allowing parents to monitor activity remotely. Connects physical camera systems with online access portals tied to families and childcare providers.

Verified by ObscureIQ Intelligence
53/100Breach Risk Index
40Data Value
10Market Recency
1889dSince Breach

Breach Intelligence Summary

Entity: NurseryCam · Actor: Anonymous hacker (12K parent credentials dumped); separate researcher disclosure by Andrew "Cybergibbons" Tierney · Sources: 3 references
Attack: Unknown
Profile: Platform · Live nursery and daycare video streaming · Subscription-based childcare monitoring service · Global
Timeline: Breach (2021-02-12) · Indexed (Feb 23, 2021) · Year (2021)
Exposure: 11K records · 1 fields: Email Address
Status: Confirmed

Executive Summary

NurseryCam, a UK-based childcare-monitoring service that allowed parents at approximately 40 UK nurseries to view live video feeds of their children, suffered a security breach disclosed publicly on February 19-20, 2021. The incident is best characterized as a series of egregious security failures rather than a single data breach. Independent security researcher Andrew 'Cybergibbons' Tierney had documented multiple critical vulnerabilities in early February 2021 including the absence of TLS encryption on video streams, the persistence of access permissions for parents whose children no longer attended the nursery, the ability for parents to access camera feeds in nursery rooms where their children were not present, insecure direct object reference vulnerabilities allowing arbitrary video feed access by URL manipulation, and the use of shared administrator credentials that were published in the company's public instruction manual. A separate hacker exploited these vulnerabilities and obtained parent account credentials from approximately 12,000 NurseryCam users, which were dumped online, prompting the company to take its cameras offline. The breach affected approximately 10,000 to 12,000 parent records based on records indexed by Have I Been Pwned and the original hacker disclosure. Compromised fields included email addresses, names, usernames, and SHA-1-hashed passwords. The hacker publicly stated they had no intention of using the data to harm anyone and that they wanted to force NurseryCam to raise its security standards. Far more critically, the vulnerabilities themselves enabled unauthorized live-video access to children at the affected nurseries, with no reliable record of how many parties may have viewed the feeds during the multi-year period the vulnerabilities existed. For affected parents and the broader population of children at the affected UK nurseries, the practical risk profile combines standard credential exposure with significant child-safety concerns. The credential exposure supports credential-stuffing attacks against any other accounts where parents reused the same password, and parents should change any reused passwords on other accounts. The more serious concern relates to the live-video access vulnerabilities themselves: because the vulnerabilities had reportedly existed for at least six years prior to public disclosure (since at least 2015 per a parent's earlier report), unknown parties may have had access to live video streams of children at NurseryCam-equipped nurseries during that period without detection. Parents whose children attended NurseryCam-equipped nurseries between approximately 2015 and 2021 may wish to review the timeline of their child's nursery attendance against the documented vulnerability period and discuss any concerns with their nursery and with applicable UK child-safeguarding authorities.

ObscureIQ assessment: Extremely high risk. Exposure can enable stalking, child privacy violations, household targeting, and unauthorized observation of children and caregivers. Streaming-access systems create acute physical-safety concerns.

Breach Impact

The institutional impact on NurseryCam was effectively terminal. The service was shut down, and the parent companies Footfallcam Ltd and Meta Technologies Ltd faced UK ICO scrutiny, regulatory exposure under GDPR and UK data-protection law, and substantial reputational damage that extended across their broader IoT-product portfolio. The case has been formally cited in UK regulatory guidance about IoT device security and parental-monitoring services. Reputational impact concentrated within the UK childcare and parental-technology sectors, and the case is referenced in subsequent IoT-security legislation discussions including the UK Product Security and Telecommunications Infrastructure Act framework. The breach prompted broader industry scrutiny of the security architecture of childcare-camera services across multiple vendors.

About NurseryCam

NurseryCam was a UK-based subscription childcare-monitoring service operated by Footfallcam Ltd and Meta Technologies Ltd, headquartered in Guildford, England, with Melissa Kao as director. The service deployed CCTV cameras inside UK nurseries (daycare centers for children aged approximately five months to six years) and provided parents with remote access to live video streams of their children at nursery via a web portal and mobile application. NurseryCam was deployed at approximately 40 nurseries across the UK and marketed itself with the claim of being 'safer than online banking.' As a childcare-monitoring platform, NurseryCam maintained parent account data including identity, contact information, login credentials, and access to live and stored video feeds of children at participating nurseries.

Why They Hold Your Data

Childcare video-streaming platforms collect parent accounts, child-related records, camera or room access data, billing records, and live-stream access information tied to daycare or nursery monitoring.

Recent Developments

NurseryCam was shut down on February 20-21, 2021 following the breach disclosure and has not returned to operation under the same brand. The UK Information Commissioner's Office began assessing the matter following the data-breach report. The case has been widely cited in UK IoT-security commentary as a leading example of vendor unresponsiveness to security disclosure, particularly because Footfallcam Ltd had a documented pattern of attempting to strongarm security researchers including Andrew 'Cybergibbons' Tierney into deleting public Twitter discussion of vulnerabilities in its FootfallCam sister-product. A NurseryCam parent had reported essentially the same class of vulnerability to the company in 2015, six years before the 2021 breach forced disclosure, with NurseryCam reportedly brushing off the report at the time.

Data Points Exposed

1 verified field types
Email Address

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Moderate
Primary downstream threats:
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover

Threat Actor: Anonymous hacker (12K parent credentials dumped); separate researcher disclosure by Andrew "Cybergibbons" Tierney

Anonymous hacker (12K parent credentials dumped); separate researcher disclosure by Andrew "Cybergibbons" Tierney
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the NurseryCam breach?

NurseryCam, a UK-based childcare-monitoring service that allowed parents at approximately 40 UK nurseries to view live video feeds of their children, suffered a security breach disclosed publicly on February 19-20, 2021. The incident is best characterized as a series of egregious security failures…

What data was exposed?

Verified fields include Email Address.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
Dehashed
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation