SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

NordVPN rounds up the worst data breaches of 2018

Wed 9 Jan 2019
FYI, this story is more than a year old

Last year, the information of over a billion people was compromised as many companies failed to protect user data.

From credit card skimming to bugs and ‘leaky’ backends, NordVPN digital privacy expert Daniel Markuson reviews the most significant and worst data breaches the world faced in 2018. 

British Airways (380,000 accounts) 

380,000 transactions made between August 21st and September 5th were compromised on the British Airways (BA) website and app.

The attackers accessed customers’ names, addresses, emails, and payment details.

The airline assured passengers that passport and travel details remained secure.

The technique used in this attack was like a digital version of ‘credit card skimming’.

It allowed hackers to copy users’ information while it’s being typed into a data entry form.

Such attacks tend to target companies that have poor security.

In this case, hackers found a loophole in BA’s booking page, injected malicious code, and instantaneously sent customer data to their own server.

The attack didn’t involve hackers penetrating the servers, which is why they only managed to gather the information over a very specific timeand why they got data not normally stored by the airline, like credit card CVV numbers.

Google+ (500,000 accounts)

A bug recently found in the Google+ platform gave third-party developers access to 500,000 accounts, which included users’ full names, birth dates, genders, profile photos, occupations and even places where they lived.

What’s surprising is that the bug wasn’t noticed for three years.

Eventually, when Google found it and patched it, they decided not to inform the public because they feared another scandal like Cambridge Analytica’s with Facebook.

Google says that 438 apps had access to sensitive information, but that there’s no evidence that developers misused this data.

Unlike other social media platforms, Google+ struggled to get new users.

With the latest data leak, they decided to shut down the platform completely.

Ticket Fly, owned by Eventbrite (27 million accounts)

Ticket Fly, an event ticketing website, was hacked by a cybercriminal calling himself IsHaKdZ who stole the data from 27 million accounts.

The hacker broke into Ticket Fly’s systems and replaced its homepage with an image from the ‘V for Vendetta’ film depicting the fictional British Anarchist who protests and fights the fascist government.

He then asked Ticket Fly for a one bitcoin ransom and warned them that their security is poor threatening to publish the database after his next attack.

However, even though the hack disrupted many events taking place in the US, the company refused to speak to the hacker or pay the ransom.

The hacker never released the data publicly, but Washington Post journalists spoke to the hacker and confirmed that the data was authentic.

Despite the havoc, the website was back up and running in about a week.

Uber (57 million users)

In November 2016, hackers accessed Uber’s cloud servers and downloaded the data of almost 35 million users, including their full names, phone numbers, email addresses and the locations where they first signed up for the service.

Uber brushed it under the carpet and failed to notify its customers (and the 3.7 million drivers whose trip summaries, weekly payments, and even driver’s license numbers were also exposed).

Instead, Uber paid the hacker a $100,000 ransom, called it a ‘bug bounty,’ and waited for a year to start monitoring the affected accounts.

Lack of communication with their users and failing to follow the procedures of the ‘bug bounty reward scheme’ resulted in Uber receiving a hefty fine of $148million in the US and £385,000 in the UK.

UK information commissioner's office investigations director Steve Eckersley says, 

"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen.

“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable. Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack." 

Facebook (147 million accounts)

50 million users in March

Cambridge Analytica, a British political consulting firm, was given permission to use more than 50 million Facebook profiles for “research purposes.” However, they instead collected user information to create psychographic profiles to influence the US presidential campaign in 2016. This data mining and data analysis company was employed by Donald Trump and helped him shape and predict the votes. 

90 million users in September

In September, the social media giant hit the headlines once again as they compromised the security of almost 90 million users.

A bug in Facebook’s ‘View As’ feature was discovered that could be used to steal users’ access tokens, which keep the user logged into a website or an app during a browsing session.

Access tokens do not save the user’s password, so Facebook logged out everyone potentially affected to restore the security.

However, hackers still managed to steal usernames, genders, and information about their hometowns.

Facebook claims that, so far, it hasn’t noticed any suspicious behaviour on compromised accounts.

However, this doesn’t mean that this data won’t be used at a later date.

7 million users in December 

As if this wasn’t enough to lose trust in Facebook, another bug was announced last month.

It appears that hundreds of third-party apps had unauthorised access to 7 million users’ photos.

Worst of all, these included pictures people might have started uploading but never posted.

It’s unknown whether anyone had seen these photos or used them in any malicious way. However, it shows once more how much data Facebook collects and how little control they have over their cybersecurity.

Facebook CEO Mark Zuckerberg says, “A lot of people who are worried about privacy and those kinds of issues will take any minor misstep that we make and turn it into as big a deal as possible. We realise that people will probably criticise us for this for a long time, but we just believe that this is the right thing to do."

My Heritage (92 million users)

A company that can test people’s DNA to find their ancestors and build their family trees leaked the email addresses and hashed passwords of over 92 million users.

The attack was noticed in June, when the company’s security researcher found their users’ data sitting in a private server that doesn’t belong to the company.

My Heritage stated that the most sensitive user data, such as their DNA info and family trees, is stored on separate systems that weren’t compromised.

Quora (100 million users)

The question-and-answer website Quora was recently hacked and put 100 million users at risk. Quora representatives said they’d noticed that ‘a malicious third party’ had accessed sensitive information on Quora’s database.

These cybercriminals gained access to nearly everything, from users’ names and IP addresses to their Q&A history, access tokens, and private messages.

Quora claimed that none of their partners’ financial information or any anonymous Q&A’s had been affected.

The attack is under investigation, and no further comments have been made by the company.

Firebase (100 million users)

Firebase, a Google-owned development platform, leaked the sensitive information of over 100 million users.

The platform might not be well-known to everyone, but it’s widely used by mobile developers.

Appthority researchers scanned 2.7 million iOS and Android apps that connect to and store their data on Firebase.

They found that over 3,000 of those apps were connected to a misconfigured database that could be accessed by anyone. 

These apps with ‘leaky backends’ had been downloaded on the Google Play Store over 620 million times and could have exposed highly sensitive data, including user IDs, plaintext passwords, users’ locations, bank details, bitcoin transactions, social media accounts, and even health records.

Google was notified of the ‘leaky’ apps and their backends. 

My Fitness Pal (150 million users)

At the beginning of the year, My Fitness Pal, a food and nutrition app owned by Under Armour, leaked the data of 150 million users.

Once the company noticed the breach, they notified their users in almost record time(compared to other companies) – four days. 

The company confirmed that hackers got hold of usernames, email addresses and hashed passwords.

My Fitness Pal stated that other information, such as credit card numbers, wasn’t compromised because it was stored separately from generic user information.

It’s unknown how hackers broke into the systems, but Under Armour is working with data security firms to investigate the attack and take precautionary measures to avoid similar break-ins in the future.

Twitter (330 million users)

Twitter rarely makes the headlines when it comes to data breaches, but this year was different. A security bug exposed 330 million users’ passwords, all in plain text.

Twitter stated that there was an issue with their password hashing system.

It failed to encrypt passwords and was saving them in plain text.

Their investigators claimed that no one had actually accessed the data, but if any of the affected accounts had been hacked, their passwords would have been visible to the attacker.

Their information could then be used to access other accounts.

Twitter has advised a number of users to change their passwords as a precautionary measure. The bug has now been fixed.

Marriott (500 million users)

The biggest data breach of the year (if not ever) exposed the data of half a billion users.

Marriott said that hackers broke into its booking system and accessed customer data for the last four years.

This major data breach affected the following Starwood properties: St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points, and W Hotels.

Marriott’s hotel databases are separate and haven’t been compromised.

Cybercriminals stole Starwood’s customers’ names, addresses, phone numbers, card numbers, passport numbers and even the information of where and who they were travelling with.

Because this information wasn’t used for any known financial gains or identity thefts, there are rumours that this could’ve been a state-sponsored attack.

A former British intelligence officer said that the aim of this attack could’ve been to get valuable information on spies, diplomats and military officials who’ve stayed in Marriott hotels over the years.

It’s strange that the attack remained unnoticed for such a long time and that none of the information was monetised.

Related stories
Top stories
Story image
Amazon Web Services / AWS
Zscaler, AWS accelerate onramp to the cloud with zero trust
Zscaler has announced an extension to its relationship with Amazon Web Services, as well as innovations built on Zscaler's Zero Trust architecture.
Story image
Aqua Security, CIS create software supply chain security guide
Aqua Securityand the Center for Internet Security have together released the industry’s first formal guidelines for software supply chain security.
Story image
Threat actors ramp up their social engineering attacks
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. Their new M.O? Social engineering.
Story image
Significant security concerns resulting from open source software ubiquity
"The risk is real, and the industry must work closely together in order to move away from poor open source or software supply chain security practices."
Story image
Securonix partners with Snowflake, Zscaler in joint venture
Securonix is embarking on a joint technology integration with Snowflake and Zscaler to speed up threat detection and response at cloud scale.
Story image
Malwarebytes expands Nebula platform with DNS module
Malwarebytes has expanded its Nebula platform with a new DNS Filtering module designed to provide a quick, flexible, and comprehensive Zero Trust offering for Nebula users.
Story image
Aqua Security launches cloud native security SaaS in APAC
Aqua Security has announced the general availability of cloud native security SaaS in Singapore, serving the broader APAC region.
Story image
BlackBerry launches new Zero Trust Network Access
BlackBerry has unveiled its latest AI-driven security offering, Zero Trust Network Access with CylanceGATEWAY.
Story image
Varonis strengthens security capabilities for AWS and S3
Varonis has strengthened and expanded its cloud and security capabilities, with a critical aim of improving safety and boosting data visibility in Amazon Simple Storage Service (S3).
Story image
Digital resilience big concern for 95% of APAC businesses
A10 Networks finds of the 250 APAC businesses surveyed, 95% of them are very concerned about all aspects of enterprise digital resilience.
Story image
Robotic Process Automation / RPA
rapidMATION helps Coates achieve success with landmark RPA solution
A strong Robotic Process Automation solution (RPA) can help solve many complex issues that businesses face daily. 
Story image
Sternum joins NXP, collaborates on IoT security and observability
Sternum has announced it has joined the software partner community of NXP Semiconductors, a manufacturer of and large marketplace for embedded controllers.
Story image
LastPass announces new capability for iPhones and iPads
LastPass has announced its new save and fill experience, allowing customers to fill in, create and save their credentials directly within the site's form field.
Story image
Greater API usage raises concerns for protection - report
Radware has released its 2022 State of API Security report, which shows a rise in APIs, with 92% of the organisations surveyed significantly or somewhat increasing their usage.
Story image
Why the success of client collaboration projects depends on addressing these five warning signs
New tools, applications, and software have enabled project collaboration to continue remotely, both between employees within an organisation and with its clients.
Story image
Q1 DDoS and application attack activity reveals surprise result
The cybersecurity threat landscape in the first quarter of 2022 represented a mixed bag of old enemies and new foes. New actors dominated the DDoS threat landscape while application security faced tried-and-true attack vectors.
Story image
Trend Micro unveils dedicated security for electric vehicles
The cybersecurity company has announced VicOne - dedicated security for the electric vehicles and connected cars of today and tomorrow.
Story image
Digital Transformation
Cybersecurity priorities for digital leaders navigating digital transformation
In recent years, Asia-Pacific has especially been a hotspot for cyberattacks, and as we continue into 2022, it’s evident that the problem is becoming more significant.
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
Ready for anything with the PagerDuty Operations Cloud
In a world of digital everything, teams face increasing complexity. Ever-growing dependencies across systems and processes put customer and employee experience, not to mention revenue, at risk.
Story image
10 Minute IT Jams
Video: 10 Minute IT Jams - An update from Rimini Street
Today we welcome back Daniel Benad, who is the GVP & regional GM for Oceania at Rimini Street.
Story image
Schneider Electric and Claroty launch building security solution
Schneider Electric has announced the launch of Cybersecurity Solutions for Buildings, a solution designed to help buildings customers secure BMS.
Story image
QuSecure partners with DataBridge Sites to showcase platform
QuSecure has partnered with DataBridge Sites to showcase its Quantum-as-a-Service (QaaS) orchestration platform, QuProtect.
Story image
Secure access service edge / SASE
Cloudflare adds new capabilities to zero trust SASE platform
New features for Cloudflare One include email security protection, data loss prevention tools, cloud access security broker, and private network discovery.
Story image
Privileged Access Management / PAM
Delinea unveils new Secret Server features and improvements
Delinea has announced new features and enhancements to expand the capabilities of its Secret Server, including design updates and new security controls.
Story image
ConnectWise reveals cybersecurity updates and partnerships
ConnectWise has unveiled new updates to its services and highlighted the importance of cyber insurance at its IT Nation Secure conference.
Story image
Hundreds arrested, millions seized in global INTERPOL investigation
A two-month-long investigation by INTERPOL this year involved 76 countries and clamped down on organised crime groups behind telecommunications and social engineering scams.
Story image
Data resilience
Digital resilience in 2022 - A10 Networks releases new study
Of the 250 corporate organisations surveyed, as many as 95% showed high levels of concern for all aspects of enterprise digital resilience.
Story image
New survey uncovers critical OT security challenges
While industrial control environments continue to be a target for cyber criminals, there are widespread gaps in industrial security.
Story image
SonicWall recognises partners and distributors at FY2022 partner awards
SonicWall has recognised its distributors and partners for their efforts in producing the company’s most successful year to date.
Story image
Cyber attacks on industrial assets cost firms millions
Some 89% of electricity, oil & gas, and manufacturing firms have experienced cyber attacks impacting production and energy supply over the past year.
Story image
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
Network Security
Netskope announces zero trust network access updates
Customers can now apply zero trust principles across a range of hybrid work security needs, including SaaS, IaaS, private applications, and endpoint devices.
Story image
Exabeam expands investment in Google Cloud in fight against cyber threats
The move opens up limitless data ingestion, speed, and scale opportunities for worldwide security teams in their ongoing fight against cybersecurity attacks.
Story image
Ingram Micro launches vendor-backed security program
Ingram Micro has unveiled a new program intended to give resellers the effective offerings their customers need to stay safe in the evolving threat landscape.
Story image
Rapid7 report examines use of double extortion ransomware attacks
New insight into how attackers think when carrying out cyber attacks, along with further analysis of the disclosure layer of double extortion ransomware attacks, has come to light.
Story image
Airwallex, Xero extend partnership with easier invoice payments
Airwallex has extended its long-term partnership with Xero by releasing a new payment link integration for Xero invoices that will make receiving them easier and faster for Australian businesses.
Story image
New research shows global drive for passwordless authentication
A new study has shown there has been a significant shift towards wanting a passwordless future, but adoption is still in its infancy.
Story image
Why is NZ lagging behind the world in cybersecurity?
A recent report by TUANZ has revealed that we are ranked 56th in the world when it comes to cybersecurity - a look into why we're so behind and what needs to be done.
Story image
Dark web
Cybercrime in Aotearoa: How does New Zealand law define it?
‘Cybercrime’ is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?
Story image
Tech job moves
Tech job moves - Boomi, Limepay, Thales, VMware & Zoom
We round up all job appointments from June 6-16, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Commvault's SaaS division experiences notable growth
Commvault has revealed the global momentum that its SaaS division Metallic has experienced since its launch two years ago.
Story image
Identity and Access Management
Ping Identity launches corporate venture capital fund
Ping Identity has launched a corporate venture capital fund to foster innovative offerings for the identity security market.
Story image
Flashpoint unveils security offering for school boards
Flashpoint has released its K-12 risk management and security offering to provide school boards and education security practitioners with tools to recognise, prevent and manage cyber and physical threats.