Attending InfoSec?

Top 9 Data Breaches of 2018

When we last compiled a list of data breaches in 2015, choosing which ones to include didn’t pose much of a challenge. Three years later, the prevalence and scope of data breaches have surged to a point where keeping our list of major breaches to single digits was nearly impossible. There were so many to choose from, but we’ve narrowed it down to the top 9, and here they are.

Exactis – 340 Million Records

A marketing firm based in Florida, Exactis, was sitting on hundreds of millions of records at the time of the monumental breach. Approximately 340 million individual records were compromised, which contained identifying information including email addresses and home addresses, though not social security numbers. The leak outraged consumers, and Exactis is currently the defendant of a class action lawsuit over the data breach.

Under Armour – 150 Million Users

Under Armour announced in March that 150 million users of its popular food and nutritional app, MyFitnessPal, had their data compromised. Usernames, emails, and passwords were included in the breach; payment, location data, and birthday information were stored separately and not compromised. The most reassuring sign for consumers was how quickly Under Armour informed their users of the breach; the public disclosure took only a week.

Facebook –  87+ Million Users (Part 1)

While it’s impossible to know exactly how many Facebook users had their data breached, the number surpasses 87 million. American users alone constitute at least 70 million of those affected. Personal information was harvested by Cambridge Analytica, a political consulting firm later discovered to have worked with Donald Trump’s election team. Information was collected through a personality quiz given through an app called thisisyourdigitallife, which then scraped data about users and their Facebook friends.

Although Facebook had information that data was breached in 2015, it remained silent. Later, Facebook CEO Mark Zuckerberg was called to testify before Congress and acknowledged in a public apology that he had made a “huge mistake.”

Facebook –  50+ Million Users (Part 2)

Disaster struck again when hackers exploited multiple vulnerabilities in Facebook’s code to gain access to over 50 million accounts. Discovered on September 16th this year, it took the social media company more than a week to stop the attack. Stock immediately plummeted 2.6% upon revealing the hack and for the entire duration of the breach, hackers had access tokens which could be used to control millions of accounts.

MyHeritage – 92 Million Records

Disclosed in June, more than 92 million records of the online genealogy platform MyHeritage were leaked. The breach included emails and passwords, though MyHeritage was adamant that information about family trees and DNA profiles were protected on a different server. Since MyHeritage facilitates payments through a third party, payment information of users was not compromised.

Ticketfly – 26 Million Records

In late May/early June, the major ticket distribution site, Ticketfly, was disrupted for a week after a hacker exploited a vulnerability in the site’s security. The hacker had previously made an overture to Ticketfly offering to patch up their security in exchange for payment – an offer which Ticketfly did not accept. Their homepage displayed the personal information of Ticketfly employees and customers and all in all, more than 26 million records including phone numbers, billing addresses, and email addresses were breached.

Sacramento Bee – 19 Million Voting Records + 53,000 Subscribers

Two Sacramento Bee databases were breached by an anonymous hacker in January of 2018. One database contained personal information of 53,000 subscribers, while the other had voter registration data from the California Secretary of State. The voter registration data includes identifying information such as addresses, phone numbers, birthdays, and party affiliation of more than 19 million individuals. The hacker demanded a ransom in bitcoin which the Sacramento Bee decided not to pay.

T-Mobile – 2 Million Customers

T-Mobile is no stranger to data leaks. In 2015, 15 million T-Mobile customers were impacted by a breach of Experian, the consumer credit agency. In August, hackers gained access to names, email addresses, physical addresses, and other account information. Fortunately, this time around social security numbers and credit card data were not breached.

MBM Company – 1.3 Million Consumers

A Walmart partner which operates Limogés Jewelry, MBM left the personal data of 1.3 million consumers vulnerable through a poorly secured Amazon S3 bucket. Discovered by a security firm in March, the information had been exposed for two months including names, physical addresses, email addresses, passwords, payment details, and encrypted credit card numbers. According to Kromtech, which revealed the breach, the passwords of users were left in plain text for all to see.

Russian Grid Hacking – Hundreds of Power Plants

Not all data breaches involve consumer data. According to U.S. intelligence agencies, Russian state-sponsored hackers are working to infiltrate American power companies and have made progress which is highly concerning, to say the least. This year, Russian hackers made it into the control rooms of power plants, suggesting the potential to wreak havoc on America’s infrastructure.

What to Expect in 2019

Indeed, all of this – and more – went down within a single year. Looking ahead to 2019, we know that the issue of big data breaches is not a question of if but when. So gone are the days of a ‘wait and see’ approach. We advise continuing to prioritize doing diligence, being proactive in implementing a Digital Risk Protection solution, to make sure you’re ahead of the game.

Breaches are very much alive and well, and definitely in the works.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start