Data breaches have increasingly put companies under the spotlight. Part of the reason is that data compromised during these incidents is often highly confidential. For example personal, medical, or even financial information.
Although the terms ‘data breach’ and ‘hack’ are often used interchangeably, there are some fundamental differences. Irrespective, the end result is a potentially a crisis situation for whoever’s data has been stolen.
Another major problem is that we are seeing increasingly large and frequent data breaches or hacks resulting therein over the years. Let’s take a look at some of the whoppers that have occurred over the past two decades:
Major Data Breaches and Hacks Since 2000
Sina Weibo, 2020
Impact: 538 million users
Sina Weibo is equivalent to China’s Twitter. Unfortunately, in March 2020 it was reported (note: link is in Chinese) that the real names, site usernames, gender, location, and phone numbers were posted for sale on dark web markets.Thankfully, password data were not included.
Weibo acknowledged this but claimed that the data was obtained by matching contacts against its address book API. However, some of the information offered such as location data, wasn’t available via the API.
This brought about public outcry with netizens investigating and confirming that the records were indeed circulating on the dark web. The company later claimed it was the work of a hacker who gathered publicly posted information by using a service meant to help users locate the Weibo accounts of friends, via their phone numbers.
First American Financial Corporation, 2019
Impact: 885 million users
In May 2019 First American Financial Corporation reportedly leaked 885 million users’ sensitive records dating back more than 16 years. Information leaked included bank account records, social security numbers, mortgage and tax records, wire transactions, driver’s license images and other mortgage paperwork.
The data was available publicly to anyone with a web browser. The company then realized that there was a design defect in an application that made possible unauthorized access to customer data. They took immediate action to shut down external access to the application.
Impact: 218 million user accounts
Zynga, once a giant in the Facebook gaming scene, still remains as a major player in the mobile game space with millions of customers worldwide. A Pakistani hacker, known as ‘Gnosticplayers’ claimed to have hacked into Zynga’s database of Draw Something and Words with Friends, ultimately accessing data in 218 million registered accounts.
Zynga later confirmed that login IDs, names, email addresses, salted SHA-1 hashed passwords, phone numbers, and user IDs for Facebook and Zynga accounts were indeed stolen. Zynga has since taken steps to protect their users’ accounts from invalid logins.
Impact: 540 million users
Facebook works with many third party apps. In 2019 it was reported that there were two Facebook app datasets that had been exposed to the public Internet. One leak originated from the Mexico-based digital media company Cultura Colectiva which left more than 540 million records open for public access.
The second came from a backup file on a storage server by defunct California-based app maker At The Pool which contained more sensitive data, including scraped information. Data involved included user’s friends lists, interests, photos, group memberships and check-ins.
Amazingly, neither company responded to requests to have the data removed, so Facebook contacted Amazon to pull the data offline.
Impact: 763 million users
Verification.io, an email address validation service provider, exposed 763 million unique email addresses in a MongoDB instance that was left open publicly with no password access required. Data including names, phone numbers, IP addresses, dates of birth and gender, email addresses, and other personal information was exposed.
Impact: 1.1 billion users
India’s ID database Aadhaar reportedly suffered multiple breaches that potentially compromised the records of over 1.1 billion registered citizens. Private information that included identity and biometric information on India residents were exposed.
Other information like their names, their unique 12-digit identity numbers, services they are connected to, such as their bank details and other private information were also compromised. The leak occurred due to state-owned utility company, Indane, not securing their APIs properly.
Criminals were reported to be selling access to the database at a rate of Rs500 (approximately $6.78) for 10 minutes.
Marriott International, 2018
Impact: 500 million customers
This data breach initially occurred on systems supporting Starwood hotel brands in 2014. However, attackers remained in the system even after Marriott acquired Starwood in 2016 and were only discovered in September 2018.
Stolen information included names, email and physical addresses, phone numbers, passport numbers, account info, birth dates, gender, travel and accommodation information. Even worse was the loss of hashed credit card information; credit card numbers and their expiration dates.
The breach was attributed to a Chinese intelligence group seeking to gather data on US citizens.
Impact : 340 million (230m consumers, 110m businesses)
The Exactis data breach is somewhat unique as in there’s no proof that cybercriminals actually stole any data. However, experts believe that criminals did. Exactis is a Florida-based marketing firm and has records of 340 million Americans stored in an unsecured server.
Any cybercriminal could easily gain access to this server via a special search engine called Shodan. While the breach did not include sensitive data like credit card and Social Security numbers, it did include detailed personal information, including phone numbers, email and physical addresses, and even pet ownership.
It was later confirmed that 2TB of data was relocated to a public site for all to see, but as for who did it, that remains unknown.
Impact: 330 million users
Social media giant Twitter notified users of a glitch that stored unmasked passwords in an internal log. Those were thus accessible to the internal network. The company claims to protect user passwords via hashing, which shows random characters in place of the actual ones.
Unfortunately, the passwords revealed showed in their original plain-text form instead. Following the incident, Twitter informed its 330 million users to change their passwords and said it fixed the bug.
River City Media, 2017
Impact: 1.37 billion users
A huge email marketing organization called River City Media failed to safeguard backups of its database of 1.37 billion email accounts. The result was all of them being available for anyone to see – all because of improper configuration.
The available information included details like IP addresses, names and even physical addresses. It was also reported that River City Media was able to gather the information through a spam operation that involved sending emails promising ‘credit checks, sweepstakes and education opportunities’.
Yahoo, 2013, 2016
Impact: 3 billion user accounts
Claimed as the biggest data breach in history, Yahoo fell victim to attackers who the company believed were “state-sponsored actors”. In 2013, information compromised included the real names, email addresses, dates of birth and telephone numbers of 500 million users. Yahoo claimed that since most of the compromised passwords were hashed, they were safe.
But in December 2016, Yahoo disclosed another breach by a different attacker that included the names, dates of birth, email addresses, passwords and unencrypted security questions and answers of 1 billion user accounts.
Yahoo later revised this estimated figure in October 2017 to include all of its 3 billion users. An investigation reported that users’ passwords in clear text, payment card data and bank information were not stolen.
Adult Friend Finder, 2016
Impact: 412.2 million users
A huge data breach detected on the adult dating and entertainment company, Friend Finder Network has exposed more than 412 million accounts. Cybercriminals penetrated the site’s defences and stole usernames, encrypted passwords, emails, dates of last visit and membership statuses for 412 million accounts.
Before this a previous data breach affected four million users, exposing information like sexual preferences and whether or not the user was looking for an extramarital affair. The nature of this breach was particularly sensitive due to the type of services offered. The Friend Finder Network also includes casual hookup and adult content websites.
The stolen data spanned twenty years across six databases with weak SHA-1 hashing protecting most passwords. Around 99% of them were cracked by November 14, 2016.
Impact: 360 million users
Social media site MySpace hit the headlines in 2016 after 360 million user accounts were put up for sale on the dark web. Information was also made available in LeakedSource, a searchable database of stolen accounts.
Stolen passwords were encrypted with SHA1 which was easily cracked. MySpace then invalidated all passwords belonging to accounts that were set up prior to 2013.
Impact: 235 million users
Chinese site NetEase suffered from a data breach that impacted hundreds of millions of subscribers. While there is proof that this report is accurate as many users confirmed their passwords were leaked and were sold by a dark web marketplace, it was difficult to verify emphatically. NetEase has reportedly denied this.This was then tagged as unverified.
Date: February/March 2014
Impacted: 145 million users
eBay was the victim of a 2015 data breach which resulted in it asking all its 145 million users to reset their password. Attackers used a small set of employee credentials to access this user data.
Stolen information included encrypted passwords and other personal information, including names, e-mail addresses, physical addresses, phone numbers and dates of birth.
Impact: 152 million users
In 2013 Adobe accounts were breached with data lost including an internal ID, username, email, encrypted password and password hint in plain text. Encryption employed was weak and many were quickly broken into plain text. Furthermore, the password hints added to the damage making it easy to guess the passwords of many users.
Impact: 165 million users
Linkedin reported a data breach which had occurred in 2012. Although never claiming an official number, in 2016 figures suggested that as many as 165 million user accounts were compromised. Data lost included 117 million passwords that had been hashed but not “salted” using random data to make them harder to reverse.
Sony PlayStation, 2011
Impact: 77 million users
In April 2011 a cyber-attack on the Sony PlayStation Network and Qriocity services led to the compromise of 77 million user accounts. Thieves made off with personal user information, including dates of birth, e-mails, home addresses and login credentials.
While credit card information appeared to be safe at first, the company later acknowledged that 12 million credit card numbers were unencrypted and could easily be read. Multiple class-action lawsuits were filed against the company.
Impact: 100 million users
In 2010, Netflix supplied data sets containing over 100 million subscriber movie ratings and preferences to contest participants. Although Netflix insists that the data sets were anonymized and did not contain subscriber names or other personal information, experts confirmed that Netflix’s anonymization process was easily crackable to identify individual subscribers.
While technically not a data breach, the move was clearly not planned through properly. Many considered it a violation of privacy due to the nature of the records involved.
Heartland Payment Systems, 2008, 2009
Impact: 134 million records
This payment processing firm experienced a data breach when hackers exploited a SQL injection vulnerability to break into their systems and install a sniffer software.The breach was discovered by Visa and MasterCard due to suspicious transactions. The company has since strengthened its security measures.
T.J Maxx Security, 2007
Impacted: 94 million records
TJX disclosed that more than 45 million credit and debit card numbers may have been stolen from its IT systems over a 18-month timeframe. Hackers broke into the retail company’s wireless LAN. Court filings revealed that banks sued the retailer, claiming that the number was closer to 94 million.
AOL, 2003 – 2004, 2006
Impacted: 30 million users / 500,000 users
Between 2003 to 2004, a former software engineer of AOL stole 92 million email addresses belonging to an estimated 30 million users. He then sold the list of addresses to someone in Las Vegas who began spamming the list with an advertisement for an offshore gambling website.
However, AOL itself also isn’t completely sane. Search engines mostly recognize that releasing complete search history of users poses privacy risks. In 2006, AOL decided otherwise and posted a complete three-month set of search queries for several hours. It was long enough for the data to be accessed publicly.
Impact: 40 million users
It was confirmed that 40 million credit card accounts were exposed due to a security breach that occurred at a third-party vendor of CardSystems in 2005. The information included credit card numbers and security codes. It was only in 2009 that CardSystems was found to have stored unencrypted credit card information on its servers.
Impacted: Source code exposure
Circa 2001/2002, hackers gained access to some of Microsoft’s essential product secrets and the company acknowledged a security breach had occurred. It was reported that the unknown hackers had gained access to the source code to its most valuable software, including latest versions of Windows and Office.
How Data Breaches can Occur:
Most organizations’ IT infrastructure is not foolproof. Once a hacker targets something, he/she will relentlessly probe to find loopholes. Often, they will seek to take advantage of software bugs or vulnerabilities.
In these circumstances, chances are that eventually at least one loophole will be found – and that is generally sufficient. A single point of entry is enough in many cases to allow access to entire networks and the information contained therein.
Based on surveys done, employee negligence remains the biggest worry for companies. Part of this is that it is a major contributor towards data loss. Between 2017 to 2019, an average of 20% of data loss incidents were due to negligence.
Malware is the name used collectively for malicious software, including viruses, ransomware and spyware. They are collections of code developed with the express intention to cause damage or gain unauthorized access to systems.
Malware is delivered through many means -from the form of a hyperlink or even file sent over email. Typically, action on the receiver’s part is required to execute the malware, such as opening the file or link.
This occurs when someone or something mimics a trusted, reputable entity in order to collect private information from you. You, in turn will provide the required private information, trusting the source of the email.
This happens frequently to banking customers and is not exclusive to the Internet. Other phishing methods could be in the form of in-person calls from those claiming to be a representative of a reputable company.
This is an attack that exploits weaknesses in the SQL database of unsecured websites in order to get the website to extract information from the database. This is one of the least sophisticated types of attacks, requiring minimal technical knowledge. It does, however, require that the target has not patched this particular vulnerability.
Why Should This Concern You?
In the first six months of 2019, over 4.1 billion records were compromised from over 3,800 publicly disclosed data breaches and hacks. Data breaches hurt both individuals and organizations by compromising sensitive information.
As an Individual
Being a victim of stolen data could prove detrimental to you as this can lead to serious damage. This includes possible financial loss and even emotional trauma. Once compromised, it can be extremely difficult to regain your sense of cyber identity and security.
As an Organization
Significant revenue loss is the common result of a security breach for any company. This comes in the form of not just monetary loss, but also serious reputational damage. Studies have shown that 29% of businesses which face a data breach end up losing revenue and of these, 38% experienced a loss of 20% or more.
What You Can Do
Using the web responsibly is as much on you as it is on the sites and service you leverage on. Online security needs to be taken seriously and there are both methods and means through which this can be achieved.
Make Use of Privacy Tools
Using an online anonymity and privacy tool such as a Virtual Private Network (VPN) helps to protect your online identity and secure your data. These allow you to access the web though secure servers and help by encrypting data as well.
The line between Antivirus and anti-malware applications is beginning to blur. In some cases you will find applications capable of doing both. They help safeguard you from the many nasty bugs floating around the net and can also help by removing malicious scripts.
Have Good Security Practices
This can be a pretty exhaustive list of things to do since we can always learn more ways to stay safe online. However, to attempt everything can be somewhere difficult (and overly paranoid). To give you an idea, here are a few tips from a very exhausting list:
- Consistently reset your passwords after certain periods of usage
- Use only strong passwords and do not reuse them across sites
- Delete accounts on sites or services you no longer need
- Avoid sharing too much personal information online
- Make use of secure authentication where possible, such as 2FA
Always Monitor your Financial Accounts
Always be on the alert for any suspicious activity where you bank accounts are concerned. If you feel uncomfortable with the nature of any transactions, just give a call to the bank to find out more. Remember, it is usually possible to set limits on your financial transactions through online banking systems.
Monitor your Inbox
Look out for any suspicious emails. Be especially careful of phishing emails. Opportunistic cybercriminals love to send out phishing emails spoofed to look like they’re coming from hacked accounts in an attempt to get you to give up personal information.
It is a known fact that a data breach is costly and very detrimental to an organization’s overall health. So, doesn’t it make sense to be proactive about data security and avoid a breach in the first place? Some things you can consider include:
By using data segmentation, you spread out your data. While this might not prevent data from being stolen, it can potentially slow criminals down or even mitigate some damage.
Enforce Principle of Least Privilege
There have been many cases whereby unauthorized employees have exploited company data. Part of this is due to the possibility of having unrestricted privileges. Principle of Least Privilege (PoIP) restricts each user account to onl;y being able to handle what it was designed to.
Use a Business VPN
There are two main categories for VPN services – consumer and business. Business VPNs are typically expensive, but smaller companies can opt for solutions like NordVPN Teams. These small-scale VPNs solutions are cost effective and help boost your security immensely.
Over the years, data breaches have simply gotten worse as more of the world gets connected. Companies are also more haphazardly collecting data, since it has become such a wonderful source of revenue. Google and Facebook alone are two good examples of this.
What’s even scarier is that oftentimes, data breaches can go undetected for many years. By the time they are discovered, it may be too late for many of those whose information has been compromised.
Do your part and be aware of this. Take charge of your online security and privacy today and help build a better web.