SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
NordVPN rounds up the worst data breaches of 2018
Wed, 9th Jan 2019
FYI, this story is more than a year old

Last year, the information of over a billion people was compromised as many companies failed to protect user data.

From credit card skimming to bugs and ‘leaky' backends, NordVPN digital privacy expert Daniel Markuson reviews the most significant and worst data breaches the world faced in 2018.

British Airways (380,000 accounts) 

380,000 transactions made between August 21st and September 5th were compromised on the British Airways (BA) website and app.

The attackers accessed customers' names, addresses, emails, and payment details.

The airline assured passengers that passport and travel details remained secure.

The technique used in this attack was like a digital version of ‘credit card skimming'.

It allowed hackers to copy users' information while it's being typed into a data entry form.

Such attacks tend to target companies that have poor security.

In this case, hackers found a loophole in BA's booking page, injected malicious code, and instantaneously sent customer data to their own server.

The attack didn't involve hackers penetrating the servers, which is why they only managed to gather the information over a very specific timeand why they got data not normally stored by the airline, like credit card CVV numbers.

Google+ (500,000 accounts)

A bug recently found in the Google+ platform gave third-party developers access to 500,000 accounts, which included users' full names, birth dates, genders, profile photos, occupations and even places where they lived.

What's surprising is that the bug wasn't noticed for three years.

Eventually, when Google found it and patched it, they decided not to inform the public because they feared another scandal like Cambridge Analytica's with Facebook.

Google says that 438 apps had access to sensitive information, but that there's no evidence that developers misused this data.

Unlike other social media platforms, Google+ struggled to get new users.

With the latest data leak, they decided to shut down the platform completely.

Ticket Fly, owned by Eventbrite (27 million accounts)

Ticket Fly, an event ticketing website, was hacked by a cybercriminal calling himself IsHaKdZ who stole the data from 27 million accounts.

The hacker broke into Ticket Fly's systems and replaced its homepage with an image from the ‘V for Vendetta' film depicting the fictional British Anarchist who protests and fights the fascist government.

He then asked Ticket Fly for a one bitcoin ransom and warned them that their security is poor threatening to publish the database after his next attack.

However, even though the hack disrupted many events taking place in the US, the company refused to speak to the hacker or pay the ransom.

The hacker never released the data publicly, but Washington Post journalists spoke to the hacker and confirmed that the data was authentic.

Despite the havoc, the website was back up and running in about a week.

Uber (57 million users)

In November 2016, hackers accessed Uber's cloud servers and downloaded the data of almost 35 million users, including their full names, phone numbers, email addresses and the locations where they first signed up for the service.

Uber brushed it under the carpet and failed to notify its customers (and the 3.7 million drivers whose trip summaries, weekly payments, and even driver's license numbers were also exposed).

Instead, Uber paid the hacker a $100,000 ransom, called it a ‘bug bounty,' and waited for a year to start monitoring the affected accounts.

Lack of communication with their users and failing to follow the procedures of the ‘bug bounty reward scheme' resulted in Uber receiving a hefty fine of $148million in the US and £385,000 in the UK.

UK information commissioner's office investigations director Steve Eckersley says,

"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen.

“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable. Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack."

Facebook (147 million accounts)

50 million users in March

Cambridge Analytica, a British political consulting firm, was given permission to use more than 50 million Facebook profiles for “research purposes.” However, they instead collected user information to create psychographic profiles to influence the US presidential campaign in 2016. This data mining and data analysis company was employed by Donald Trump and helped him shape and predict the votes.

90 million users in September

In September, the social media giant hit the headlines once again as they compromised the security of almost 90 million users.

A bug in Facebook's ‘View As' feature was discovered that could be used to steal users' access tokens, which keep the user logged into a website or an app during a browsing session.

Access tokens do not save the user's password, so Facebook logged out everyone potentially affected to restore the security.

However, hackers still managed to steal usernames, genders, and information about their hometowns.

Facebook claims that, so far, it hasn't noticed any suspicious behaviour on compromised accounts.

However, this doesn't mean that this data won't be used at a later date.

7 million users in December 

As if this wasn't enough to lose trust in Facebook, another bug was announced last month.

It appears that hundreds of third-party apps had unauthorised access to 7 million users' photos.

Worst of all, these included pictures people might have started uploading but never posted.

It's unknown whether anyone had seen these photos or used them in any malicious way. However, it shows once more how much data Facebook collects and how little control they have over their cybersecurity.

Facebook CEO Mark Zuckerberg says, “A lot of people who are worried about privacy and those kinds of issues will take any minor misstep that we make and turn it into as big a deal as possible. We realise that people will probably criticise us for this for a long time, but we just believe that this is the right thing to do."

My Heritage (92 million users)

A company that can test people's DNA to find their ancestors and build their family trees leaked the email addresses and hashed passwords of over 92 million users.

The attack was noticed in June, when the company's security researcher found their users' data sitting in a private server that doesn't belong to the company.

My Heritage stated that the most sensitive user data, such as their DNA info and family trees, is stored on separate systems that weren't compromised.

Quora (100 million users)

The question-and-answer website Quora was recently hacked and put 100 million users at risk. Quora representatives said they'd noticed that ‘a malicious third party' had accessed sensitive information on Quora's database.

These cybercriminals gained access to nearly everything, from users' names and IP addresses to their Q-A history, access tokens, and private messages.

Quora claimed that none of their partners' financial information or any anonymous Q-A's had been affected.

The attack is under investigation, and no further comments have been made by the company.

Firebase (100 million users)

Firebase, a Google-owned development platform, leaked the sensitive information of over 100 million users.

The platform might not be well-known to everyone, but it's widely used by mobile developers.

Appthority researchers scanned 2.7 million iOS and Android apps that connect to and store their data on Firebase.

They found that over 3,000 of those apps were connected to a misconfigured database that could be accessed by anyone.

These apps with ‘leaky backends' had been downloaded on the Google Play Store over 620 million times and could have exposed highly sensitive data, including user IDs, plaintext passwords, users' locations, bank details, bitcoin transactions, social media accounts, and even health records.

Google was notified of the ‘leaky' apps and their backends.

My Fitness Pal (150 million users)

At the beginning of the year, My Fitness Pal, a food and nutrition app owned by Under Armour, leaked the data of 150 million users.

Once the company noticed the breach, they notified their users in almost record time(compared to other companies) – four days.

The company confirmed that hackers got hold of usernames, email addresses and hashed passwords.

My Fitness Pal stated that other information, such as credit card numbers, wasn't compromised because it was stored separately from generic user information.

It's unknown how hackers broke into the systems, but Under Armour is working with data security firms to investigate the attack and take precautionary measures to avoid similar break-ins in the future.

Twitter (330 million users)

Twitter rarely makes the headlines when it comes to data breaches, but this year was different. A security bug exposed 330 million users' passwords, all in plain text.

Twitter stated that there was an issue with their password hashing system.

It failed to encrypt passwords and was saving them in plain text.

Their investigators claimed that no one had actually accessed the data, but if any of the affected accounts had been hacked, their passwords would have been visible to the attacker.

Their information could then be used to access other accounts.

Twitter has advised a number of users to change their passwords as a precautionary measure. The bug has now been fixed.

Marriott (500 million users)

The biggest data breach of the year (if not ever) exposed the data of half a billion users.

Marriott said that hackers broke into its booking system and accessed customer data for the last four years.

This major data breach affected the following Starwood properties: St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points, and W Hotels.

Marriott's hotel databases are separate and haven't been compromised.

Cybercriminals stole Starwood's customers' names, addresses, phone numbers, card numbers, passport numbers and even the information of where and who they were travelling with.

Because this information wasn't used for any known financial gains or identity thefts, there are rumours that this could've been a state-sponsored attack.

A former British intelligence officer said that the aim of this attack could've been to get valuable information on spies, diplomats and military officials who've stayed in Marriott hotels over the years.

It's strange that the attack remained unnoticed for such a long time and that none of the information was monetised.