A hacker attack happens every 39 seconds in the US.
This frequency may be worrisome at first.
However, in reality, most attacks have little impact on society, even though high-profile attacks do happen. They’re not Voldemort-dangerous, but some of them come pretty close.
There are five key targets the biggest data breaches in modern history share. These are your full name, email address, physical address, IP address, and credit card information.
Here’s a taste of what we are talking about:
- The first data breach to compromise more than 1 million records by DSW Shoe Warehouse.
- Yahoo’s decline was certainly accelerated by the largest reported data breach up until this moment: 3 billion accounts were exposed.
- Identity/biometric data of 1.1 billion people in India were disclosed
- Sneaky hackers managed to collect the personal data of over 505 million guests of Marriott International until 2020.
- 412 million members of the adult network FriendFinder were also penetrated by eager data thefts.
- It took a single young hacker several years to access over 200 million user accounts with sensitive information; they belonged exclusively to Court Ventures.
- LinkedIn became known as LeakedIn after 117 million accounts were stolen.
- Fitness enthusiasts weren’t spared the blushes either – nearly 113 million FitMetrix users shared unwillingly their personal data with unknown hackers.
- Going further back in time, in 2008 134 million credit card numbers were lifted from Heartland Payment Systems.
- While on topic, Equifax reported the payment data of over 145.5 million users exposed as recently as 2017.
I won’t be reviewing the Great Papyrus Attack back in the day, even though it was a massive breach in its own right. I’ll instead take a look at the pitfalls of modern security and how they’ve affected us.
Let us know “What was the first ever data breach?”
The year 2005 marked a milestone in the history of data breaches, becoming the year when many of the largest on record first occurred.
In March of that year, the DSW Shoe Warehouse reported that 1.4 million credit card numbers and names had been exposed. In January, George Mason University was breached and 32,000 students and staff were affected, with their names, pictures and Social Security numbers stolen. In June, hackers accessed 40 million credit card accounts from payment processor CardSystems Solutions.
But first, let’s review the most recent security breaches in 2022.
Data Breaches in 2022
2022 began with numerous cyber attacks. Although they aren’t the biggest data breaches of all time, the attacks exposed millions of users’ data, including personal information, emails, passwords, and credit card numbers.
That comes to show that even the modern top security systems aren’t as effective as one would hope.
So, without further ado, coming up are the latest information breaches in 2022. Here are the top 3 biggest data breaches in 2022:
- Magecart Attack on Commerce Platform BigCommerce (February 2022; Personal information of over 2.5 million customers exposed by hackers).
- Data Breach at Capital One Bank (January 2022; Exposed Social Security numbers, bank account numbers, addresses, and phone numbers of more than 100 million customers).
- Cyberattack at Twitter (July 2022; Hackers gained access to the personal information of some high-profile accounts including former President Obama and Elon Musk).
Data Breaches in 2021
Microsoft Data Breach 2021
(Source: Upguard)
Records exposed: 30,000 US companies (60,000 companies worldwide)
2021 saw one of the largest data breaches in Microsoft’s history when hackers exploited multiple zero-day vulnerabilities in their Exchange email servers to gain unauthorized access to small business and local government emails. The attack affected over 30,000 US businesses, making it one of the most widespread cyberattacks in US history.
Elasticsearch Data Breach 2020
(Source: BankInfoSecurity)Records exposed: 250 million
One of the most recent information leaks involves Microsoft. The tech giant “accidentally” exposed 250 million customer support records for over three weeks. What happened was that Microsoft stored this data in five misconfigured Elasticsearch databases.
Although the company’s investigation didn’t reveal any data theft, their stocks sunk by almost $10 per share.
Clearview AI Data Breach 2020
(Source: The Daily Beast)Records exposed: Unknown (the company’s entire customer list)
In February, the controversial company reported that a hacker “gained unauthorized access” to its client list. Many of their customers are law enforcement agencies, that can take photos of a suspect and compare them to the company’s database of over 3 billion images.
The company’s reaction to the cyber breach was simple: “Unfortunately, data breaches are part of life in the 21st century.” However, the firm claims to have fixed the vulnerability and its servers are safe.
Nintendo Data Breach 2020
(Source: The Verge)
Records exposed: 160,000
In April, Nintendo announced that about 160,000 accounts, email, and password lists have been exposed. The list of leaked data also includes names, dates of birth, gender, and country.
The company urged its users to use two-factor authentication to improve the security of their accounts.
On the bright side, no credit card information was leaked so the users’ coins are safe in the block.
Get it?
Anyway, on to the next one.
Tetrad Data Breach 2020
(Source: UpGuard)Records exposed: 120 million
In February, Tetrad became a victim of a massive data breach that exposed information about millions of American households and businesses.
The company has misconfigured an Amazon S3 bucket, making the data accessible to anyone with a web browser. The information was located in three files totaling 747 GB. Thankfully, a week after the leak was discovered, the company fixed the vulnerability.
Virgin Media Data Breach 2020
(Source: BBC) Records exposed: 900,000
Companies surely make cybercriminals’ jobs easier.
In May, Virgin Media admitted there was personal data of about 900,000 users was left accessible and unsecured for 10 months.
The reason?
A misconfigured database, of course!
Someone should really try to teach these guys how to properly configure a database.
It was accessed at least once by an unauthorized user. On the bright side, the leaked information didn’t include any financial information.
Wawa Data Breach 2020
(Source: ZDNet)
Records exposed: 30 million
Our data breaches list for 2020 wouldn’t be complete without Wawa. In January more than 30 million payment card details were put up for sale on Joker’s Stash, one of the biggest fraud bazaars online.
The company announced the breach in December 2019, but the data appeared on the black market a few days after New Year’s Eve. This payment card breach ranks among the biggest ones, along with Home Depot (50 million) and Target (40 million).
GoDaddy Data Breach 2020
(Source: Security Magazine)Records exposed: 28,000
On April 23, GoDaddy identified that SSH usernames and passwords have been compromised via an altered SSH file. It’s unclear if this recent data breach was because of previously stolen login details or brute force attacks, but the hosting provider stated that “the threat actor did not have access to customers’ main GoDaddy accounts.”
Although that 28,000 exposed records can’t be called a major data breach, considering that GoDaddy manages 77 million domains this leak raises some security questions.
Now.
The numbers clearly show how vulnerable user data can be. They might nudge you to take a little extra care whenever you are online.
That said, let’s move on to the world’s biggest data breaches.
Yahoo Data Breach
(Source: CSO)
Year – 2013-2014Records exposed: 3 billion
Yahoo is far from its former glory. The massive fall of the Yahoo empire started in 2013. A yet unknown party broke into Yahoo’s database, gaining access to 3 billion accounts. This is the biggest hack Yahoo has ever encountered and the largest data breach in history. And they only discovered it in 2016.
The attack happened right in the middle of their negotiations with Verizon, which later acquired Yahoo for $4.48 billion. The revised price was $350 million less than previously expected, but that was just the tip of the iceberg for Yahoo.
The stolen information included full names, dates of birth, email addresses and passwords, and security issues correspondence (questions/answers).
The company claims the attack was conducted by state-funded hackers. A Vice article further shows the Department of Justice is pointing to members of the Russian Federal Security Service as the initiators of the massive Yahoo data breach.
The personal details were allegedly used to compromise (possibly blackmail) both US and Russian officials, journalists, and some private sector individuals. Some of the account details were also put up for sale on “TheRealDeal”, a known darknet virtual marketplace.
Knowledge is power, right?
Although it happened years ago, this breach still tops the Most Famous Data Breaches Leaderboard.
River City Media Data Breach
(Source: TheRegister)
Year: 2017Records exposed: 1.37 billion
One of the more concerning recent data breaches happened in the spring of 2017 when River City Media encountered massive data exposure.
I’ve never seen a person jump in joy upon seeing a spam email. To my genuine surprise, it turns out many people open those, thus providing some metrics of data to spam-oriented enterprises.
River City Media somehow managed to allow unauthorized access to a large database of emails and postal addresses. This resulted in 1.37 billion subscriber records suddenly being released out in the wild.
However… this wasn’t exactly a breach.
The Jackson, Wyoming-based marketing company granted free access to a 200GB repository. According to Chris Vickery, who first discovered the issue, the data was quietly waiting in a system with no password protection.
Turns out some of the biggest data breaches of all time aren’t always caused by hackers, eh?
OK, let’s see what the sloppy fellas leaked – real, full names, and IP/email/physical addresses. Tens of millions of people had their information leaked to anyone willing to access it.
In addition, the breach shed light onto RCM’s development plans, along with a list of undisclosed affiliates of the company.
River City Media didn’t respond to the leak right away, as they kept their intentions secret. But high-profile data breaches don’t usually appreciate silence.
The brand tried to explain its lack of action by later stating that all data was legally obtained according to the FTC and Can-Spam Act of 2003 requirements. However, this didn’t save them from receiving a Spamhaus blacklist mark.
Marriott International Data Breach
(Source: Vox)
Year: 2014-2018, 2020Records exposed: 505+ million
We’re moving to the hotel business for a bit. Marriott International announced on November 30th that its data records have been breached. The hackers had access to their records from 2014 up to late 2018. And once again in January 2020.
When we talk about data breaches in 2020 we can’t miss Marriott International. One of the most recent security breaches allowed access to the personal data of more than 5.2 million guests. The data includes contact details, personal information, preferences, and more.
However, in terms of big data breaches, 5.2 million records isn’t that impressive. So let’s see what happened a few years back – from 2014 to 2018.
As far as cyber security breaches, this was one of the longest-standing ones. Bullseye.
The spoils of the breach were estimated to be the personal information of 500 million people.
The database contained names (full and partial combinations), mailing/email addresses, phone numbers, account info, date of birth, gender, reservation dates, arrival/departure times, payment card numbers/expiration dates, and passport information.
Thankfully, all credit card information (8.6 million credit/debit card numbers) was under AES-128 encryption. OK, at least the payment information is safe… if nothing else.
This is one of the largest data breaches and a huge portion of the data was readable by anyone.
For example, 5.25 million customer passport numbers were unencrypted. This was just slightly north of 20% of all numbers on record, as another 20.3 million of them were actually encrypted. Marriott International made a further evaluation of the damages and estimated the number of affected customers at 383 million.
Alright, so who has any use of so many guest records? A naïve question, yes, but experts believe that Chinese intelligence-gathering teams are behind the attack.
The fact to the matter is, Marriott International still hasn’t disclosed who it thinks is behind one of the most famous data breaches ever.
They reacted to the news about the breach by saying their primary objectives were “to figure out what occurred” and “how they can best help their guests”.
FriendFinder Network Data Breach
(Source: ComputerWorld)
Year: 2016
Records exposed: 412 million
Some people would prefer giving away access to their bank account rather than having their sexual history made public. That’s why it’s no wonder this one was named “the biggest breach of 2016”. The exposed records amounted to over 412 million pieces of information, including usernames and passwords, and email addresses.
Hacking the user base of the “World’s Largest Sex & Swinger Community” could easily classify as one of the world’s biggest data breaches, considering the sensitive nature of the information. The FriendFinder Network suffered a security breach containing customer data, accumulated over more than two decades. The data was spread across six different databases – FriendFinder, Adultfinder, Cams, Penthouse, iCams, and Stripshow.
LeakedSource’s assessment is that all sensitive information was held in plaintext or SHA1 hashing. Which is a lousy way to store customer data. Again, Leaked Source points to October as the most likely period of the hack.
Yes, this time it’s hackers.
FriendFinder claims they care about their clients’ security. Well, they could have shared the information about the security breaches sooner. It’s just common courtesy to set things straight with their clients and warn them. “Hey, people, we kind of got hacked… just so you know.”
Additionally, LeakedSource even managed to crack 99% of the encrypted passwords. Naturally, the most used password turned out to be 123456. I’m not saying “vanillaicecream1902” is easier to remember, but it may make your account just a bit safer. (And it still is much safer, according to experts.). That said, for those of you who still use that kind of password we’ve prepared an actionable guide on how to create a strong password.
MySpace Data Breach
(Source: TechCrunch)
Year: 2016Records exposed: 360 million
February 2016 wasn’t at all calm for MySpace.
Even though many have forgotten about the platform, it still exists. It was responsible for one of the biggest data breaches to date, scoring over 360 million points on the Stolen Account Records app.
(There is no such app, don’t search for it.)
Although Time Inc., the current owner of MySpace, confirmed the stolen data was old, it is still a big hit. According to them, the hackers only managed to acquire data from before 11 June 2013. And what did they get? Email and password lists. Even a second password once in a while.
MySpace CFO, Jeff Bairstow, was quick to reassure the users that they take data security “extremely seriously”.
Even though it doesn’t seem as severe as the previous cybersecurity breaches, these accounts hold all kinds of personal information. Name, occupation, network activity, and some prehistoric metrics from when MySpace was popular.
Also, consider this – many users are accustomed to typing the same password for all of their online accounts. If anyone gains knowledge of your MySpace password, chances are they will be able to log into at least one of your other internet profiles.
So, variety is key.
Exactis Data Breach
(Source: Wikipedia)
Year: 2018Records exposed: 230 million
While looking at all the recent data breach cases in 2018, it wasn’t long before the name Exactis surfaced. A data aggregation/marketing company situated in Palm Coast, Florida, that… you guessed it, was also hacked.
It seems that they support the approach of showing less, while knowing a whole lot more.
It’s concerning that Exactis somehow managed to expose personal information about 230 million US citizens in 2018. The breach came to light in June by the hand of Vinny Troia, a security researcher who was checking the defenses of the company ElasticSearch.
Troia used Shodan, a search engine targeting internet-connected devices, to discover one of the biggest data breaches in 2018 – about 7,000 different databases on public servers. One of those belonged to Exactis and it was just chillin’ out, totally unprotected.
Just like your high-school lunch left on the common table in the cafeteria.
Unlike the precious food bite, however, the Exactis database consisted of around 340 million records. A little over 66% of those are tied to individuals, while the rest belong to nation-wide operating companies.
Thankfully, no social security numbers or credit card numbers were disclosed.
However, a lot of other information was leaked: physical addresses, email addresses, phone numbers, age, gender, even the customers’ children’s gender, religious affiliation, and smoking habits.
Yet again, it is unclear if this was a coordinated hacker breach or just a sloppy leak.
Court Ventures Data Breach
(Source: KrebsOnSecurity)
Year: 2013Records exposed: 200 million
Getting back to major hacking events for a change, October 2013 brought Court Ventures, a company belonging to Experian, a breach where 200 million consumer records were exposed. The way the breach took place is fascinating.
Hieu Minh Ngo, aged 25, managed to run a completely unseen identity theft operation for quite some time. The hacker posed as a P.I. with an address in the United States to gain access to customer information for as long as ten months.
This was enough to gather 200 million records of sensitive personal information.
He then sold it to over 1,300 people on both his ID theft websites – Superget.info and Findget.me. Information security breaches can be quite profitable sometimes.
He did all of this while in Vietnam. Nonetheless, he was later sentenced to 13 years in a US federal prison in July 2015.
According to The San Diego Union-Tribune, it’s possible that more than 30 million consumers were victims of stolen data. In addition, 13,000 fabricated tax return forms were filled by Ngo and his possible affiliates.
This resulted in gathering $65 million in non-existing tax refunds.
Experian stated back in December 2013 that no customers were harmed by the breach. At least not to their knowledge.
Deep Root Analytics Data Breach
(Source: UpGuard)Year: 2015Records exposed: 198 million
December 2015 saw one of the largest cyber security breaches around Christmas, with Donald Trump still just a presidential candidate.
Turns out over 198 million voters’ records were kept in a poorly protected database – full names, state of residence, addresses, date of birth, phone numbers, and voting details were all disclosed to the public. Ethnicity and religion details were also in the pack.
Chris Vickery was again the one to spot the vulnerability. He shared that all the information was kept on a cloud server without any defenses. 1.1TB of data was up for grabs by anyone with a quick mind.
TargetPoint Consulting and Data Trust were also involved in the election breach but the main responsibility lays with Deep Root Analytics.
Following the previous data breach news in Mexico and the Philippines, which affected a tad over 100 million individuals, the DRA breach raised concerns about how voting information is protected around the world.
Massive American Breach
(Source: Technology Review)
Year: 2005-2012Records exposed: 160 million
This one was a massive, coordinated attack.
A group of Russian hackers has managed to access and gather credit/debit card numbers from several companies for seven full years, between 2005 and 2012.
There was a total of 15 hacked companies – 7-Eleven, JC Penney, Heartland Payment Systems, Carrefour, Wet Seal, Dexia, Commidea, Hannaford, JetBlue, Euronet, Dow Jones, Global Payment, Visa Jordan, Ingenicard, and Diners Singapore.
Back in the day, the operation was called “the largest hacking and data breach scheme ever produced in the United States” by a New Jersey prosecutor, Paul Fishman. Although we now know of bigger breaches, this one was shocking at the time.
The breach caused hundreds of millions in losses for the companies that have been hacked and their consumers. In addition to those, three corporate victims reported over $300 million in losses due to the attack.
Not to mention the identity theft possibilities.
According to the Newark Federal Court, the perpetrators were Vladimir Drinkman, Alexandr Kalinin, Roman Kotov, Mikhail Rytikov, and Dmitriy Smilianets – all based in either Russia or Ukraine.
Reports suggest that Smilianets managed to sell the leaked credit card numbers and shared the profit with his team members before they were convicted.
Under Armour Data Breach
(Source: Forbes)
Year: 2018Records exposed: 150 million
In March 2018, the health app MyFitnessPal made public one of the largest data breaches in the healthcare niche.
The breach of privacy affected 150 million users. The records included usernames, email addresses, and hashed passwords. Now, as you may have already noticed, there’s a silver lining to this situation – the passwords were hashed. This means the hackers have had a hard time decrypting the data, even after it was already in their possession.
If you’re unfamiliar with this sort of thing, you may wonder why.
Well, depending on the hashing algorithm complexity, passwords can stay safe for decades, even after major data breaches. Or be decrypted in a matter of minutes. So yes, just because there’s encryption doesn’t mean the passwords are safe.
Although respected companies use the highest-ranked encrypting tools, users are still advised to change their passwords after such a breach.
Being one of the more benign data breach examples, Under Armour ensured customers that no financial data was leaked. Good thing they store financial and general info in separate locations.
No driver’s license or social security numbers were leaked as part of the breach either.
All in all, this attack didn’t have such destructive aftermath, but it’s concerning nevertheless.
Equifax Data Breach
(Source: LifeLock)
Year: 2017Records exposed: 145.5 million
A chilling example of the most recent data breaches was exposed in 2017. The hacker attack affected 145.5 million United States consumers, gaining access to detailed personal information.
Equifax, a renowned company in the credit reporting field, discovered the breach on July 29. The breach was big, as it released full names, social security numbers, birth dates, addresses, and driver’s license numbers to public use.
Equifax’s advice to customers was just general reassurance and no substance. That’s the route many companies take in situations like these.
After the Equifax data breach, they shed some light on the hacker attack in a detailed press release. According to them, the perpetrators used a vulnerability in the US website app to break their defences.
However, no unauthorized activity seems to have happened in the compromised accounts.
Preventing such breaches should be a top interest for any enterprise. It takes time, dedication, and an understanding of the environment. Then again, this applies to hacking as well.
eBay Data Breach
(Source: BankInfoSecurity)
Year: 2014Records exposed: 145 million
In 2014, eBay announced it has become a victim of a cyber attack.
Each of the 145 million customers’ eBay accounts was hacked. The cybercriminals obtained personal information and encrypted passwords.
This was one of the biggest data breaches of all time and was conducted by using employee login credentials, of all things. It’s not public knowledge whether the employee was “in” on the plan, or if the company was actually hacked.
The personal information I referred to included dates of birth, mailing addresses, phone numbers, and full names. No financial information was compromised according to the platform.
Two weeks after the breach occurred, the company assured users no suspicious activity took place in any of the user accounts.
No financial details were disclosed, but the eBay data breach still consisted of nearly 150 million records. More than enough information to do some damage.
According to Al Pascual, an experienced security analyst at Javelin Strategy and Research, the breach was likely approached with a spear phishing campaign. Spear phishing is an email-spoofing tactic, designed to target specific members of a company to acquire unauthorized access.
“The system is as secure as its weakest link, and that is very often its people,” added the expert.
“We are working with law enforcement and leading security experts to aggressively investigate the matter,” the brand shared after the initial breach report.
Heartland Payment Systems Data Breach
(Source: Comodo)
Year: 2009-2017Records exposed: 134 million
A decade ago, the Heartland Payment Systems breach was considered the biggest such operation yet.
During one of the most damaging high-profile data breaches, intruders stole 134 million unique credit cards, including the coded data on the magnetic card strips.
This was a big one.
Heartland Payment Systems conducted around 100 million transactions in 2008, servicing 175,000 merchants. All of them relied on this company to keep their client’s information safe. As you can imagine, any leaked information affected not just the company, but all the businesses they were working with. Most of those were small to mid-sized retailers.
Considering this was one of the biggest data breaches ever, it happened in a fairly pedestrian way. The operation was initiated by an SQL injection. Simply put, hackers included additional database commands in web scripts to get the server to obey their commands.
The hackers had been taking advantage of the vulnerability for eight years as the initial breach happened all the way back in 2009.
According to the Heartland report, hackers took eight months to enter the payment processing system without being detected. All antivirus providers Heartland used were unable to spot them.
As major hacking events go, the people behind this one were going for the long con. Attackers’ determination finally paid off when a “sniffer” spyware entered the scene.
Usually, such spyware can be used to gather and monitor network traffic – companies then analyze it and solve any issues present.
On the other hand, “sniffers” can also point hackers to their target information. Reports suggest the group had all the information they needed to use the stolen credit cards after the breach.
The grim result for Heartland Payment Services was a termination of their connection with PCI DSS, a decrease of revenue, $145 million in compensations, and a total of over $200 million in losses.
Nametests Data Breach
(Source: Fossbytes)Year: 2017-2018Records exposed: 120 million
The list of recent data breaches can’t be complete without the one where Facebook was involved.
I think we all have at least some passing knowledge of what happened during the Facebook-Cambridge Analytica scandal some time ago. Mass panic, “I’ll delete my Facebook” claims, Zuckerberg is a robot.
I’m not going to go deeper into the scandal itself, but rather focus on Nametests.
Nametests?
I reacted the same way when I first heard it. Turns out Nametests is a Facebook Quiz app used to determine which fictional character suits you best.
Nametests made their way into the biggest data breach of 2018 by exposing the personal data of 120 million users. Had Inti De Ceukelaire not detected it, the app would have continued to abuse user information.
The security researcher spotted the Nametests slip during Facebook’s Data Abuse Bounty program.
Ceukelaire set up a newly created website and established a connection to Nametests. He didn’t break a sweat accessing all stored Facebook profile details – names, pictures, posts, occupations, and so on.
In addition, Nametests was distributing tokens granting real-time access to users’ feeds. Even if you have deleted the app, it would still share your personal information with any third party on its website.
LinkedIn Data Breach
(Source: Fortune)
Year: 2012Records exposed: 117 million
Going back to 2012, LinkedIn suffered a 6.5 million user account theft. Naturally, the internet community awarded them with the nickname “LeakedIn”.
This is easily one of the world’s biggest data breaches up to date.
While 6.5 million is still a lot, LinkedIn acted swiftly and deactivated the compromised accounts.
The acquired data was posted for sale on a Russian-based forum. LinkedIn reacted, and the problem was soon no more. This gave it time to recover, but in May 2018 new gruesome details surfaced.
The alleged count of the 6.5 million leaked accounts suddenly turned out to be 117 million instead. On top of that, they were available for purchase on the dark web marketplace. “Peace” or “Peace_of_Mind”, a Russia-based hacker, put them up for sale at five BTC (Bitcoin) and turned LinkedIn into one of the most famous data breaches to date.
LeakedSource claims to also own a searchable list of this database, available with a $ 4-one-day trial option.
Carry Scott, CISO at LinkedIn stated they’ve reset the leaked accounts’ passwords.
MindBody Data Breach
(Source: Pymnts)Year: 2018Records exposed: 113.5 million
In 2018, FitMetrix became a part of the MindBody family. And it also joined the club of companies that have been hacked.
MindBody, a gym and wellness service giant themselves, paid $15.3 million for the acquisition. Little did they know, it would cost them a lot more than that.
A massive data breach of 113.5 million user accounts took place at FitMetrix. Each record consisted of usernames, email addresses, gender, phone number, pictures, height, weight, shoe sizes, and desired gym locations.
Emergency contacts were also listed, as well as bits of information labelled “more information”.
Bob Diachenko discovered this fairly recent data breach in 2018. Diachenko is a director of cyber-risk research at Hacken and is considered an expert on the topic. His report showed a number of MindBody servers were not password-protected.
One of their databases even had a ransom note attached to it.
In his opinion, the intruders were accessing a database, exporting it, deleting it, and attaching the ransom note afterwards. MindBody didn’t put much thought into his findings.
They acted on the breach only after a TechCrunch article came to light.
“We took immediate steps to close this vulnerability,” stated the company. You know, the months-later kind of immediately.
TJ Stores Data Breach
(Source: ComputerWorld)Year: 2007Records exposed: 100 million
One of the biggest data breaches of 2007 became public knowledge when TJX Companies disclosed information about a hacker attack targeting over 100 million customer records.
Hackers were targeting the usual types of information such as credit card numbers, purchase return records, full names, and driver’s license numbers.
45.6 million of those were card numbers belonging to users in various countries. However, the suing claim against TJX puts the actual number at 94 million.
Similarly to the data breaches of 2018, this one from twelve years ago managed to affect the company’s market valuation. According to 2007-8 stock market statistics, the shares of the company suffered a decline, going from $30 to $29 – a 3.4% decrease in company value.
TJX breach expenses added up to around $250 million. This included security flaws research, claims, lawsuits, and fines.
The hacker first held responsible for the breach, Albert Gonzales, was determined to have acted with the full authorization of the US Secret Service.
He managed to appeal his sentence in 2011, but the TJX breach will remain in history as the most shocking of its time.
VK.com Data Breach
(Source: TheHackerNews)Year: 2016Records exposed: 100 million
Another of the recent data breaches sends us to VK.com, the most developed social networking platform in Russia.
The site suffered a breach that resulted in over 100 million records being leaked in 2016.
It is believed that the accessed records included full names, email addresses, locations, phone numbers, and plain-text passwords.
The last item on this list is enough to question not only the security level of VK but their whole attitude towards cyber-security. Being a social network giant (therefore having this massive bullseye on its back), it’s criminal incompetence to store user credentials without any form of encryption.
Therefore, this is one of those major data breaches that could have been easily avoided.
The illegally obtained information was later put up for sale by no other but Peace. He seems to be involved in a lot of these operations – Tumblr, MySpace, LinkedIn, and VK. And those are just the ones we are aware of.
In 2016, all VK records were available for purchase for 1 Bitcoin. This used to translate to $600 back then.
This sale opportunity revealed that most of the credible data stolen were from the 2012-2013 period. This is a positive sign, as at least some of it was likely outdated.
On the other hand, that’s a lot of time for a company to remain unaware that one of the biggest data breaches ever occurred under its roof.
Firebase Data Breach
(Source: BleepingComputer)Year: 2018Records exposed: 100+ million
If you used Firebase (from Google) in 2018, chances are you will be concerned by the upcoming paragraphs.
In essence, Firebase offers an array of services and tools to mobile and web-based app developers.
Android developers are particularly attracted to the platform as it enables push notifications, cloud messaging, analytics, ads, databases, and more. All of these are convenient for coordinated app development.
So far, so good.
All those neat goodies are the perfect setup for a quality app. However, a high-quality app doesn’t necessarily mean foolproof security, as we’ll soon find out. This case is about one of the biggest data breaches of 2018.
In fact, in January 2018 that more than 113GB of sensitive data was held unprotected in the Firebase databases.
2,271 unique databases… all of which were connected to 3,046 apps in total – 2,446 for Android and 600 for iOS.
In pure numbers, these amounted to over 100 million records that were up for the taking.
The records contained over 2.6 million plain-text passwords and usernames, over 4 million Protected Health Information records, 25 million GPS locations, 50,000 financial records, and 4.5 million social network tokens.
What do companies that have been hacked do in such situations?
It turns out, Firebase requires developers to secure their own databases during the development process. The platform itself doesn’t have security protocols. In essence, this means there were 3,046 Firebase users that need to get a lesson (or two) in cyber security.
I hope they are reading this article.
Quora Data Breach
(Source: NakedSecurity)Year: 2018Records exposed: 100 million
This super popular website took a serious hit in 2018. You’d think that such an intelligent website would have better thought-out security in place.
Alas, on November 30, the site detected their data was being compromised by a third party.
100 million stolen records listed Quora among the biggest data breaches ever.
The taken user details listed names, email addresses, and hashed passwords.
Imported data by legitimate users, non-public content, and direct messages were also included. The hackers retrieved questions and answers publicly visible on the website as well. (Not that the latter is much of a breach in itself; more like a regular usage of Quora.)
As for the further investigation of the problem, Quora stated they’ve identified the root cause and have taken steps to address the issue. They also promised to continue to make security improvements.
Twitter Data Breach
(Source: TheVerge)Year: 2018Records Leaked: Unknown
This one is slightly different from the common data breach examples.
In 2018, Twitter discovered a bug that turned all user passwords visible on an internal log. Usually, the hashing algorithm of any respectable site encrypts your password, so that nobody else knows it.
However, someone, or something, meddled in Twitter’s business and caused all passwords on the platform to appear in plain text. I’m not calling it a breach because it was found “on time”.
Or at least it seems that way.
Nevertheless, Twitter doesn’t share how long the alleged hack was active, and how many user passwords were actually compromised during this recent data breach of 2018.
They urged the Twitter user base (about 330 million people) to change their passwords, just to be safe. According to Reuters, the number of exposed records was “substantial.”This makes me inclined to believe there really was a massive leak. Or at least a good possibility of one.
This theory becomes even more likely after more recent information surfaced in January 2019. Twitter informed all Android users about a possible security flaw in their Android app. The “Protect Your Tweets” option apparently wasn’t working right. All Android tweets from 2014 till now were probably accessible by third parties.
Was the leak caused by dedicated hacker attacks or a simple spaghetti code? We still don’t have an answer.
Conclusion
Each of the recent data breaches listed here caused the leak of more than 100 million records.
A hundred years ago, a lost mail cargo with a thousand letters would have seemed like a big deal. Nowadays, the numbers are in another league altogether and so is the wealth of information they hold.
Thankfully, Internet users (companies and individuals alike) slowly, but surely are recognizing online security as important. Having a unique, strong password for each virtual account is the first logical step to protecting yourself. That way, even the biggest data breaches will have limited (if any) impact.
Browsing the Web also requires sensible thinking – make sure you’re on the right website, avoid suspicious links, and change your login credentials frequently. If you don’t want to bother – choose a password manager, which can take care of all these tasks. Also, don’t forget about using antivirus software that can save you a ton of trouble.
The internet is such an inextricable part of our daily lives that it only makes sense to learn to take care of ourselves online. For all its benefits, there’s a responsibility we must take in order to use it.
With a master's degree in telecommunications and over 15 years of working experience in telecommunications, networking, and online security, he deeply understands cybersecurity's value and importance. Max leverages his vast experience and knowledge to research the latest cyber threats, scams, malware, and viruses in-depth.