Contentment is a danger when it comes to a company’s security practices. When companies become content, this leaves room for security vulnerabilities to present themselves and for security breaches to occur. It is not uncommon for hackers to spend weeks – if not months on end – trying to hack into an organization’s network. This may seem like a long time, and you might be thinking: “No one is going to spend months trying to hack our company’s network!” Here is where you are mistaken. Your risk of attack is greatly increased if you are affiliated with any sort of government programs, or your company’s data can be a stepping-off point for other crimes to occur from.
The list below covers some of the largest security breaches of the 21st century. The breaches of these massive companies should immediately remind us that even the largest companies are not immune to being hacked.
1. Chinese Resume Leak
Date: December 28th, 2018
Exposed Data: 202,730,434 records
One of the largest data-exposures ever leaked millions of Chinese job-seeker records. The Ukraine security researcher, Bob Diachenko, of HackenProof found the unprotected MongoDB database with PII of over 202 million Chinese users. The resumes found contained all kinds of information, from full names, phone numbers, political affiliation, email, work experience, height, weight, marriage status, and much more.
The total number of records surmounted to a whopping 202,730,434 with a database size of 854 GB. More than a dozen IP addresses have downloaded the resume data since the leak was announced and the database was taken offline.
This isn’t the first leak of it’s kind. In August of 2018, the data from over 130 million clients of a Shanghai hotel went for sale for 8 Bitcoin on the dark web. A food-delivery application also had thousands of user’s data compromised. Worldwide, countries have been pushing for data protection and data privacy laws. The new GDPR mandates in Europe hope to help protect EU citizen data. Unfortunately, criminals do not play by these regulations.
The resume leak has the potential to allow criminals to commit identity theft. By taking the detailed resume information, and doing a little online digging, a puzzle could be fit together that allows scammers to piece together an image of someone to commit identity theft. The public may think that this is just a bunch of resumes – but to the scammer, it is much more.
2. FriendFinder Network
Date: October 17, 2016
Exposed Data: 412,000,000 accounts
A few years ago, the FriendFinder Network, a parent company of 5 other sites, had the data stolen of over 412 million user accounts. The hack took advantage of a local file intrusion exploit that enabled hackers to gain access to all of the FriendFinder sites. Unfortunately, this was the second time in less than a year that FriendFinder members had their account data exposed.
The company did itself a disservice in a few ways. First, is the passwords were not secure. We know that they either stored the passwords in plaintext or hashed them using the SHA1 algorithm which isn’t secure. The hackers also discovered that FriendFinder kept logins for a site they had previously sold off months earlier. To make things even worse, the company was retaining logins for over 15 million accounts that were supposed to be previously deleted.
Not only did this hack expose users currently on the platform, but it also exposed past users. The public became aware of FriendFinder’s weak security stance and the fact that they were retaining deleted accounts. After the leak, FriendFinder began receiving reports from a variety of other sources pointing out other security vulnerabilities in the platform.
The data leak left millions of users open to phishing and extortion attempts and ultimately, expecting the worst.
3. Marriott Hotels
Date: 2014 – December 2018
Exposed Data: 500 million guests
A hacker gained access to guest information from the Marriott Starwood reservation database. This info included names, addresses, phone numbers, email addresses, birthdays, passport numbers, reservation info, and more. Encrypted payment card numbers were also stolen – although the possibility exists that the hacker may have received information to decrypt them.
The hotel breach began in 2014. Unfortunately, anyone who made a reservation between then and September 2018 could have been affected. This 4-year window is a huge amount of time that the breach was left un-accounted for. In response to this, Marriott set up a website and call center dedicated to dealing with protocols of what customers should due in lue of the breach.
Marriott is also offering free membership to Web Watcher, which tracks user’s personal information through websites that try to sell PII and then alerts the user if anyone is selling or trading their information.
Date: Late 2014
Exposed Data: 3 billion user accounts
Yahoo believed a state-sponsored actor was responsible for stealing over 3 billion user accounts in late 2014. Stolen information included names, telephone numbers, email addresses, birthdays, hashed passwords, and security questions and answers. User information came from Tumblr, Fantasy, and Flickr. Fortunately, Yahoo does not believe any payment information was stolen.
Yahoo did take the steps to notify users on the event and to secure their accounts. Further investigation found the culprits to be 2 Russian spies, and 2 hackers.
Date: June 2013
Exposed Data: 427 million customer records
In 2016, hackers stole 1 billion records. 95% of the records belonged to technology, government, and retail industries. Data collected included usernames, passwords, and email addresses.
Most people don’t use Myspace anymore – but user’s who still use the same credentials on other platforms should be wary and take action immediately. The advantage of hackers compromising data from older sites is that the security typically isn’t as robust as it is nowadays. Passwords are easier to crack and many passwords are not unique – making it easy to uncover millions of similar passwords to these older accounts. The top 5 passwords included: homelessspa, password1, abc123, myspace1, and 123456a (not very unique, right?).
Experts are linking the hack to a Russian hacker who, online, goes by the name of “Peace.” This hacker has also largely compromised other platforms such as LinkedIn and Tumblr.
Date: Late february 2014
Exposed Data: 145 million user accounts
eCommerce giant, EBay, was found vulnerable when hackers stole names, email addresses, physical addresses, phone numbers, birthdays, and encrypted passwords in late February. The hackers also gained access to a few employee credentials, allowing them to access the corporate eBay network. The breach went unnoticed for around a month.
All 145 million users were asked to change their passwords. No financial information was stolen. The threat in this breach is that around 31% of people reuse passwords. So stolen credentials from ebay could be used to gain access to other platforms and accounts.
Date: June 2012
Exposed Data: 117 million passwords
LinkedIn dropped the ball when over 117 million passwords were stolen following a 2012 breach. Following the 2012 data breach, LinkedIn failed to put additional password security measures in place. Because of this oversight, LinkedIn scrambled to stop the perpetrators from sharing the passwords online. This is typically unsuccessful for obvious reasons.
The company did reach out to affected members about the data breach. The message was one we’ve heard time and time again – “We take the safety and security of our members’ accounts seriously.”
The account information was being sold online for 5 Bitcoin and has already been released to multiple sources. A website rep from Leaked Source reported that they received all of the records for free from a contact who got them from the Russians. For this reason, LinkedIn users should update their password as well as enable two-factor authentication where available.
Date: February 2018
Exposed Data: 150 million users
The Under Armor owned app, MyFitnessPal, had the personal information of around 150 million users stolen. This info included usernames, email addresses, and scrambled passwords. The hack affected more than the users as shares of MyFitnessPal plummeted by 3%.
Experts following data breaches such as the one that affected MyFitnessPal recommend a Zero Trust Security model. This assumes untrusted users exist inside and outside the network. This approach is enforced through verifying every user, validating every device, limiting privileges, and learning user behaviors.
Even though Under Armour addressed the issue quickly, this doesn’t mean there aren’t consequences. The consequences presented themselves as drops in shares, as well as danger to the MyFitnessPal users. Organizations should stay on top of their security protocols and have effective measures in place to prevent these kinds of attacks from happening.
Date: May 2018
Exposed Data: 32.8 million Twitter credentials
This hack was very suspicious in regards to the data that was collected. Twitter claims that the data did not come from their system, and that the hacker probably collected the data elsewhere. There’s also speculation that the data may not be current, and consist of outdated information.
Experts claim that the breach did not come from Twitter itself, but instead, from Malware that logged usernames and passwords from internet browsers and sent the information back to the hackers. The interesting thing (and a giveaway that the info wasn’t stolen directly from Twitter) about this is that the passwords are in plaintext with no hashing or encryption. Twitter most likely does not store passwords in plaintext as Chrome and Firefox do.
Best practice is that users should use unique passwords for every site they sign up for.
10. Deep Root Analytics
Date: June 2017
Exposed Data: 198 million citizens
Deep Root Analytics is a data analysis company that was hired by the Republican party to gather and analyze information about voters. This gathered information was then leaked which included personal information of over 198 million citizens. What’s worse – Deep Root faces a class-action lawsuit because of it.
Information leaked included names, emails, phone numbers, birthdays, reddit browsing history, and voter ID number. This kind of data leaves voters vulnerable to identity theft and manipulation if hackers decided to target voters based on their political interests.
The negligence in leaving the server unsecured will most likely put Deep Roots out of business…a valuable lesson-learned for other companies.
Companies can take many lessons away from these types of data breaches. One of the most obvious is encrypting and salting passwords. Surprisingly, many of the companies discussed above failed to encrypt or add extra security around their stored passwords. Leaving passwords vulnerable makes it easier for hackers to crack the passwords and for users data to be used online. Making sure your databases are locked down and training employees on proper procedures regarding data privacy and security can help to minimize threats.